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PREFACE 


The "Payload Safety Guidelines Handbook" has been prepared to assist STS (Space 
Transportation System) payload developers in achieving compliance with the documented 
payload safety requirements of the NASA Office of Spaceflight. The guidelines contained in 
this handbook apply to all payloads to be carried by the STS. They are not to be construed as 
requirements but are suggested design or operational options for the elimination and/or control 
of hazards. 

The guidelines incorporate system safety experience accumulated by NASA, DOD, and 
aerospace industry sources on manned and unmanned spacecraft and aircraft. Of necessity, the 
guidelines are generic because they are intended to be applicable to any payload. 

This publication will be reviewed and revised as appropriate to reflect new experience or 
changing emphasis to ensure continuing viability. Any questions or requests for additions and 
changes should be directed to Mr. J. B. Hammock, Chief, Safety Division, code NS, Johnson 
Space Center. 



M. L. Raines 
Director 

Safety, Reliability, and 


Quality Assurance 



[unney 

Kanagety' 
shuttle payload Integration 
and Development Program 
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1.0 INTRODUCTION .- The STS (space transportation system) will be used to carry into space 
many different types of payloads. The developers of these payloads will have varied experience 
and familiarity with both systems safety and manned spaceflight. The payload safety guidelines 
handbook has been developed at the request of the OSF/Director, Reliability, Quality and Safety 
and the NASA Office of Planning and Program Integration to provide the payload community 
with a centralized source of accumulated experience achieved in past Government and industry 
aerospace programs. The guidelines handbook imposes no requirements on the payload 
community but suggests options for the elimination and/or control of hazards. 

The goal of this handbook is to promote payload safety while permitting the maximum 
flexibility in the control of hazards. Two key elements involved in achieving this goal are (I) 
effective communications between NASA and the payload community and (2) utilization of the 
knowledge and experience from previous programs. The payloads safety guidelines handbook is 
intended to provide these elements to the payload community. 

This handbook provides the payload developer with a uniform description and interpretation of 
the potential hazards which may be caused by or associated with a payload element, operation, 
or interface with other payloads or with the STS. It also includes guidelines describing design or 
operational safety measures which suggest means of alleviating a particular hazard or group of 
hazards, thereby improving payload safety. 

1.1 PURPOSE.- The purpose of this handbook is to assist the payload developer in achieving 
compliance with the documented payload safety requirements of NASA OSF. The handbook 
accomplishes this intent by: 

a. Identifying the basic hazards involved with payloads intended for the STS. 

b. Providing design and operations safety guidelines which eliminate or minimize 
potential hazards and thereby improve payload safety. 

c. Providing the safety guidelines in a subsystem format for easy access and use. 

1.2 SCOPE.- The guidelines contained in this document apply to all payloads intended to be 
carried by the STS. They are suggested design or operational means of avoiding hazards which 
if not corrected could adversely affect the safety of the STS. The STS consists of the space 
shuttle, spacelab, upper stages and ground sites needed to support these elements. 

1.3 ORGANIZATION.- This handbook is organized into three sections: Introduction, STS 

Payload Hazards Definition, and Payload Safety Guidelines. Section 2.0, STS Payload Hazards 
Definition, defines the top level hazards affecting payloads. It also covers the various causes, 
failure modes, and potential effects of these hazards. 

Section 3.0 of the handbook contains the safety guidelines which have been prepared to assist 
the payload developer in improving the design and operational safety of his particular payload. 
The guidelines cover STS payloads located in the orbiter payload bay, inside the crew cabin, in 
the spacelab, or external to the orbiter. 

The guidelines are not designed for specific payloads but contain generic data which will assist 
individual payload designers and developers. This approach is necessary because of the wide 
variety, complexity, and early stage of development of the majority of payloads proposed for 
the STS. 

The guidelines address payload design, operations during flight, and operations during ground 
activities including transportation, test and checkout, installation, and refurbishment. For the 
convenience of the developer, the guidelines are grouped by commonly understood subsystem 
designators such as electrical, pyrotechnics, etc., and by subject titles such as materials, human 
factors, and radiation. 
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Each subsystem guideline section is preceded by an index for that subsystem. The index 

identifies the main elements comprising that subsystem. The top level hazards associated with 
each of these main elements are identified in the index and comprise a summary of those 
hazards applicable to that particular subsystem element. This cross index will aid the handbook 
user in determining which guideline satisfies his particular application. 

1.4 DATA SOURCES.- The identified hazards and the safety guidelines were developed from a 
data base consisting of manned and unmanned spacecraft and aircraft experience from NASA, 
DOD, and industrial sources. Data obtained from these sources included existing safety studies 
and safety standards, related payload studies, and payload description documents. The 
documents from which these data were obtained are listed in the bibliography section for 
background information, since pertinent data has been incorporated into the body of this 
handbook. The listing of a document in the bibliography section is not to be construed as the 
imposition of the document as a requirement. 
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2.0 STS PAYLOAD HAZARDS DEFINITION . 

2.1 PAYLOAD HAZARDS.- A hazard is the presence of any potential risk situation caused by 
an unsafe act or condition. There are numerous potential risk situations associated with the STS 
payloads which directly or indirectly affect the safety of STS flight or ground personnel. One of 
the purposes of this handbook is to assist the payload developer in recognizing the hazards 
associated with STS payloads. The identification of such hazards is the necessary starting point 
for the development of safety guidelines which may be used to eliminate or control the hazards. 

Although there may be many secondary or contributory hazards, 10 basic hazard groups were 
identified as the primary concerns applicable to STS payloads. These hazards have safety 
implications during all mission phases on ground and flight crews, the STS vehicle, or other 
payloads. 

The hazard groups were derived from a variety of sources such as: (a) a general knowledge of 
STS payload energy sources which are primary sources of hazards, (b) utilization of experience 
gained from previous manned space programs as to hazards encountered or prevented, and 
(c) other representative sources of hazard grouping or categorizations. The list of hazard 
groups used in this handbook is in general agreement with all such sources. A difficulty common 
to all lists, including this one, is that there is considerable overlap between hazard groups, and 
the assignment of any secondary hazard to a particular group can often be arbitrary. The 
manner in which hazards are grouped or subdivided is therefore not particularly significant. 
What is important is that the payload developer be aware of all the basic hazards associated 
with his payload. 

2.1.1 Hazard Description.- The basic hazard groups, including representative examples of their 
causes and effects, are discussed briefly in the following paragraphs. The groups are numbered 
consecutively from I to 10 to agree with the hazard references in each subsystem guidelines 
index. 


1. COLLISION .- This group involves those hazards which occur when payloads or payload 
elements are allowed to break loose and impact STS structure, other payloads, or flight and 
ground personnel. These hazards are caused by structural failure, procedural error or 
inadequate ground handling equipment. Failure of payload attach points can create equipment 
projectiles that can penetrate manned compartments and injure the crew. Penetration of the 
cabin may result in loss of cabin pressure and crew asphyxiation. Inadequate or incorrect 
procedures during payload deployment, retrieval, or during EVA (extravehicular activity) can 
lead to collision of the payload with the orbiter or other STS elements. Damage to critical 
orbiter control surfaces or primary structure is possible and could prevent a successful return to 
Earth. Ground handling equipment such as slings, cradles, holddown arms, etc., can fail and 
injure personnel during ground operations. 

2. CONTAMINATION .- This group of hazards is associated with the release of toxic, 
flammable, corrosive, condensible, or particulate matter. Contamination is caused by leakage, 
spillage, outgassing, loose objects, abrasion, and from the growth of fungus or release of volatile 
condensible materials. Leakage of hazardous fluids or gases can be initiated from cracked or 
worn seals, gaskets, valve seats, flanges and joints. Spillage of liquids from containers, tanks or 
valves can directly, or indirectly by vaporization, degrade the atmosphere or equipment 
operation. Many materials outgas toxic products, irritants, or foul odors which can damage the 
senses, and the respiratory system of crewmen. Loose objects, dirt, and abrasive action within 
payload components can provide a source of particles that float in the zerogravity environment 
of habitable areas and can enter into the eyes, ears, noses, or mouths of personnel and into 
sensitive equipment. Fungi growing from materials providing nutrients in moist, warm 
environments are bacterial infection sources and contaminants in operating equipment. 
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3* COR R OSION .- This group involves those hazards resulting from the structural degradation 
of metallic and nonmetallic equipment. Material corrosion can be caused by a variety of means. 
Leakage of corrosive or reactive material onto metallic or nonmetallic equipment can quickly 
degrade its usefulness. Material incompatibility or the joining of certain dissimilar metals can 
lead to corrosion. Environmental extremes of temperature and humidity are sources of 
deterioration of metals containing carbon or for most organic materials. Examples of the types 
of corrosive processes which can degrade metal and nonmetal equipment include stress 
corrosion, electrolytic corrosion, and polymerization. Causative agents will include acids, salts, 
solvents, halogens, etc. The effect of corrosion on equipment can lead to mechanical failures, 
premature wear, seizure, and short circuits. The loss of a critical function due to corrosion 
could lead to any of the 10 basic hazard groups identified herein, and the loss of crew, vehicle, 
or mission is possible. 

4. ELECTRICAL SHOCK .- This group includes those hazards responsible for personnel injury 
or fatality because of electrical current passing through any portion of the body. Electrical 
shock can be caused by contact with a "live" circuit because of human error in performing an 
operation, a procedural error, or an equipment failure such as an insulation breakdown in 
exposed wiring. Other causes may be static electricity discharge, lightning strikes, or short 
circuits caused by moisture, bent connector pins, or wires, etc. Static electricity or lightning 
could be hazardous without adequate grounding or shielding protection. The effect of electrical 
shock can vary from a mild burn to loss of consciousness and electrocution. Cuts and bruises 
are possible from the involuntary reaction to the shock. 

Other electrical system hazards affect the performance and operation of equipment and thereby 
affect the crew indirectly. Almost all payload subsystems are either electrically controlled or 
contain electrical components which can malfunction and cause almost any conceivable 
hazardous situation depending on the time and location of occurrence. For example, electrical 
arcing could result in fire or a faulty electrical circuit relay could cause premature activation 
of a pyrotechnic device. Electrical equipment malfunctions should therefore be considered as 
contributing factors for each of the 10 basic hazard groups. 

5. EXPLOSION .- These hazards result from the the violent release of energy as a result of 
payload element overpressurization, fire, chemical reaction, excessive temperature, mal- 
functioning equipment or structural failure causing the release and collision of equipment with 
other structures or equipment. The overpressurization of pressure vessels, accumulators, 
batteries, etc., can result in explosion. Excessive temperature from a fire or a failed cooling 
system can result in explosion of cryogenic tanks, gas generators, pyrotechnic charges, squibs, 
etc. Equipment which can disintegrate explosively include pumps, motors, blowers, rocket 
motors, generators, lasers, etc. The effects of these explosive hazards on the crew could range 
from fragmentation injuries to eye or respiratory system irritation, burns, and asphyxiation. 
These effects would be the result of shrapnel or toxic/corrosive fluids or gases being released 
from the exploding component. 

6. FIRE .- This group deals with the rapid oxidation of payload element combustibles. Fire 
can occur when a fuel and an oxidizer are exposed to an ignition source. It can also occur when 
hypergolics are inadvertently mixed. Fuels or combustibles consist generally of organic 
material, chemicals, and certain metals. Examples of these materials include rubber, wood, 
clothing, paint, plastics, solvents, and magnesium. Any high temperature device or source of 
electrical arcing or sparking can provide the ignition source for fire. Examples of these devices 
are bearings, motors, generators, heaters, lasers and faulty electrical wiring. The effects of 
fire can be catastrophic in the closed environment of a space vehicle. Death by asphyxiation, 
smoke inhalation, or burns are directly attributable to fire. The destruction of critical controls 
or life support equipment by fire can indirectly cause the loss of crewmen or the vehicle. 
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7. INJURY AND ILLNESS .- This group includes those hazards capable of inflicting physical 
injuries or illness of any sort on the flight or ground crews during all mission phases. Physical 
injuries may be caused by impact or collision with stationary objects having sharp edges or 
protruding parts or with shrapnel or projectiles from exploded tanks or accelerated loose 
objects. Physical injuries may also be caused by ingesting particulate matter, touching hot or 
cold surfaces, and by the loss of breathable atmosphere. Crew illness could result from 
exposure to pathogenic bacteria, toxic materials, or to excessive radiation levels. 

8. LOSS OF ORBITER ENTRY CAPABILITY .- This group involves those hazards which could 
degrade the structural, aerodynamic, and thermodynamic integrity of the orbiter and could 
prevent its safe return from orbit. Such orbiter functional degradation can be caused by 
payload elements which cannot be retracted within the orbiter mold line or which prevent the 
closure of the payload bay doors. It can also be caused by payload element contact or collision 
with orbiter structural members, control surfaces, or primary insulation areas during payload 
deploy/retrieval activities. The payload elements preventing payload bay door closure include 
booms, antennas, solar panels, and other hinged or extendable/retractable components. Failure 
of such equipment may be caused by loss of electrical or hydraulic power, structural fracture, 
and jammed or malfunctioning retract mechanisms. Pressure vessel rupture, inadvertent firing 
of pyrotechnics or activation of propulsion systems could result in collision with sensitive areas 
of the orbiter. The eventual consequence of these hazards could be abandonment of the orbiter 
in space or possible loss of the crew and vehicle during an attempted entry. 

9. RADIATION .- This group involves those hazards associated with the exposure of the 
human body and sensitive control equipment to ionizing radiation, ultraviolet or infrared light, 
lasers, and electromagnetic or RF (radio frequency) generating equipment. Ionizing radiation 
hazards may be caused by leaking or inadequately shielded radioactive equipment such as RTG's 
(radioisotope thermoelectric generators), particle accelerators, vidicons, liquid metal heat 
exchangers, etc. Overexposure of personnel to such radiation could result in tissue damage, 
permanent injury, or death. The crew could experience painful burns and eye damage from 
overexposure to ultraviolet or infrared light sources or to concentrated laser light beams. RF 
and electromagnetic radiation sources such as radar equipment and antennas can trigger 
ordnance devices or interfere with operation of critical communication equipment. 

10. TEMPERATURE EXTREMES .- This group includes those hazards associated with the 
departure of temperature from normal. It also includes extreme heat or cold such as that 
generated by fire, cryogenics, and the environment of space. These hazards may be caused by 
insulation breakdown, short circuits, seal leaks, plumbing failures, and procedural and human 
error in handling or operating hot and cold generating equipment. Examples of equipment 
affected by temperature extremes include bearings, motors, electrical components, heaters, 
batteries, tanks, and lines. In addition to fire, these hazards can lead to structural degradation 
and mechanical equipment seizure. The ground and flight crews could suffer skin burns or 
frostbite as a direct result of contacting hot or cold materials. They could also be exposed to 
contamination hazards if overexpansion or retraction of payload components leads to the 
release of toxic matter. 
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3.0 PAYLOAD SAFETY GUIDELINES .- The payload safety guidelines in this section were 
prepared to assist payload developers in achieving compliance with documented safety require- 
ments for payloads using the space transportation system. For easy access by payload 
developers, the guidelines are grouped into 15 generic subsystems. They provide the means for 
payload developers to recognize hazards and also serve as development and design aids in 
meeting payload safety requirements. The guidelines are a source of experience retention data 
for safe design and operations with a baseline of accumulated experience in manned and 
unmanned spaceflight as well as military and commercial operations. 

Since payloads will be designed to incorporate operational safety features, most of the 
guidelines are design oriented. The number of generic operational guidelines included in the 
handbook is minimal because operations planning requires specific equipment configuration and 
definite mission objectives. Only the most general type of operational guidelines could be 
prepared and included at this early stage of payload definition. As payload equipment 
configuration and mission objectives are established, specific operational safety guidelines can 
be developed by the responsible NASA Center or by the payload developer to complement those 
included in the handbook. 

The preparation of the payload safety guidelines consisted of four steps. (I) A data search was 
performed by visiting the participating NASA Centers, DOD, and the aerospace industry. (The 
reference sources are tabulated in the reference section of this document.) (2) The data were 
reviewed, and applicable safety concerns and equipment hazards were collected and categorized 
under the appropriate subsystems. Data were also categorized under the 10 hazards discussed in 
paragraph 2.1. (3) A preliminary hazard analysis was performed for each subsystem to assure 
that the necessary guidelines were developed for payloads. (4) The guidelines were revised for 
payload applicability and developer understanding . 

Each of the 15 subsystem guideline subsections contains an index, a subsystem description, and 
the guidelines. The subsystem description contains a description of the hardware elements and 
their interfaces with a brief discussion of the associated hazards. The guidelines contain three 
main headings: design, flight operations, and ground operations. Under these three headings 
will be found subheadings of equipment elements. Included with the subheadings are the hazards 
(as defined in paragraph 2.1) which are to be controlled by the guidelines. 
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3.1 BIOMEDICAL 

System Description .- The biomedical subsystem consists of medical experiment equipment 
designed to obtain data on man's adaptation and performance in the space environment. It also 
consists of scientific equipment designed to obtain experimental data on the effects of space 
environments on micro-organisms, plant life, primates, vertebrates, and invertebrates. 

The medical experiments consist of measuring instruments such as ergometers, probes, body 
mass measuring devices, and blood pressure measuring devices. Also included are recording 
instruments such as electroencephalographs, electrocardiographs, metabolic analyzers, and the 
associated electronic assemblies. Many of these types of equipment have been developed for 
manned space programs and will continue to be required and refined for future applications. 

The equipment for scientific investigation of living cells will range in complexity and design 
dependent on the scientific objectives. A small part of this type of equipment was designed for 
the Skylab Program. The study of primates as part of manned spaceflight will be accomplished 
for the first time during the Space Shuttle Program. The study of lower animals and plants, 
many for the first time, will also be performed on the shuttle. 

Basic life support systems, including feeding and waste management systems, will be required 
in addition to measuring and recording equipment, probes, surgical tools, specimen containers, 
refrigeration equipment, and incubators for bacterial studies. 

Associated Hazards .- The hazards associated with the biomedical subsystem are contamination, 
electrical shock, explosion, fire, illness, and injury. Contamination hazards can be generated by 
uncontained waste matter from biological experiments. Uncontained waste matter can enter 
into equipment, become part of the breathable atmosphere, or can generate bacteria harmful to 
the crew. Where possible, electrical shock hazards should be identified and eliminated from 
medical equipment by design. Life support systems containers designed for animals and plants 
should have emergency vent systems to avoid overpressurizations leading to explosive hazards. 
Flammable fluids used in experiments should be contained and should not be allowed to escape 
into the habitable areas. It is suggested that experiments containing pathogens should provide a 
redundant means of containment. 

The following guidelines are concerned with experiments involving humans, animals, and 
biological specimens. Section 3.4, ELECTRICAL, should be reviewed for additional guidelines 
applicable to medical experiments. 
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GUIDELINES 


BIOMEDICAL 


GUIDELINES 


3.1.1 Design 

3.1.1. 1 Medical Experiments 


Electrical Shock 


Electrical Shock 


a. Medical equipment to accomplish or support a crewman 
biological test in which electrical power is used should be designed with 
redundant electrical shock protection circuits which remove the input power 
to the equipment when a leakage current level of 100 microamperes is 
sensed. 

b. Medical experiments such as the ergometer which utilizes a 
vectorcardiogram should be designed with electrically insulated restraints, 
shoes, seat, and handlebars to prevent parallel electrical paths. 

c. The design should specify that medical equipment used at the 
entrance or within a body opening of a crewman should be sterilized and 
individually packaged. Disposal facilities should be provided to contain used 
packaging materials and medical equipment to prevent accumulated trash 
which can create hazardous conditions of fire, contamination, and crew 
injuries. 

d. Medical experiments which use flammable fluids, such as 
methane or alcohol, should be designed to prevent the fluids from creating a 
hazard. 


Contamination 


e. Experiments supplying gases to be inhaled by a crewman should 
include a contamination filter. Location of the filter should provide 
maximum protection of the subject with minimum impact to experiment 
results. The gas should be positively identified and tested prior to mission 
operation. Cleanliness levels of the gas should be maintained during 
servicing, and visual placards should be installed on containers describing 
contents and use. 


Iness f. Rotational medical equipment such as a rotating chair, requiring 

crewman participation, should be designed with a braking device for quick 
stopping to release the crewman under emergency conditions such as crew 
emergency egress. 

Iness, Injury g. Equipment to accomplish medical experiments which encapsulate 

a crewman or use multiple straps should be designed for quick release by the 
crewman under emergency egress (i.e., single release point). Devices which 
enclose a crewman and apply either positive or negative pressure should be 
designed for quick depressurization or repressurization to allow the crewman 
a rapid egress under emergency conditions. 
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PAYLOAD SAFETY GUIDELINES 

SECTION NO. 

3.1 SUBSYSTEM BIOMEDICAL 

ASSOCIATED 

HAZARD 

GUIDELINES 

Contamination, 

Illness 

3. 1.1.2 Microbiology 

a. Experiments containing disease-producing bacteria and pathogens 

should be hermetically sealed and packaged in containers or compartments 
to isolate these experiments. Human contact with pathogens should be 
prevented during preflight preparation, flight operations, and postflight to 
preclude contamination of ground and flight crews. The payload contractor 
should develop and provide detailed procedures for handling, operating, 
storing, and disposing of microbiological experiments. 

Contamination, 

Illness 

b. Microbiological experiments requiring pressurized atmosphere 

should be designed with a self-contained system and should be completely 
isolated from the crew environmental control system to prevent contamina- 
tion. The design of the enclosure should allow for a lower internal pressure 
than the ambient. 

Contamination, 

Illness 

c. The packaging of hazardous micro-organism containers should be 

designed to withstand abort and crashlanding forces to protect the crew, 
ground personnel, and the general population from contamination. 

Contamination, 

Illness 

d. When biological organisms are to be used in experiments during 

on-orbit operations, bacteria agent control should be considered as part of 
the experiment design. The controls should be placed with the experiment 
organisms within the incubator. The bacteria agent control container should 
be designed to melt in overtemperature conditions, thereby releasing the 
controlling agents to destroy the biological organisms. Biological 

disinfectants such as Isopropyl alcohol, Phisohex, and Zyphrin chloride should 
be available for cleaning small spills. 

3. 1.1.3 Biological Life Support Systems 

Contamination, 

Illness 

a. The design of biological experiments using plants, animals, or 

other live organisms should consider the provision of containment, venting, 
or elimination of odors generated by waste products. These provisions may 
be in addition to those of the crew environmental control system and should 
be designed to assure that the crew is protected from contamination by 
waste products. 

Contamination 

b. The design of the biological support system for primates, 

vertebrates, etc., should provide for feeding and waste removal features to 
prevent contamination of the spacecraft environment. Operations with 
uncaged animals should be performed in a manner which does not create a 
crew hazard or potential danger to the spacecraft and systems. 


3 . 


PAYLOAD SAFETY GUIDELIN 


Contamination, 


c. When biological subjects, such as animals, are to be used in 
biomedical experiments, the design of the holding units (cages) should assure 
that the crew and spacecraft systems are protected from contamination. 
The holding unit environmental control system design should assure that the 
crew is protected from contamination. Controlled emergency venting should 
be provided for a malfunction contingency of the pressure regulator leading 
to a buildup of excessive pressures. 

d. When designing biological experiments, provisions for preserving 
and storing dead specimens, plants, etc., should be considered to prevent 
contamination. 


None. 


Flight Operations 


Contamination, 


3.1.3 Ground Operations 

In designing experimental hardware for biological experiments, complete 
handling procedures should be provided. The biological experiment should be 
tested under the same timeline and conditions expected during flight 
operations to uncover any hidden hazardous conditions. 
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3.2 CAUTION AND WARNING (HAZARD DETECTION AND SAFING) 

System Description .- The caution and warning system is the means used to monitor parameters 
of flight equipment functions that have the potential of endangering flight or ground crews. 
Caution, warning, and emergency data signals from a payload to the orbiter could be useful 
when a specific payload hazard is identified and has a reasonable probability of occurrence, and 
the crew is able to take corrective or protective action. The system will consist of sensors to 
measure malfunctions or out-of-limit conditions, a power source and data transmission system, 
and a visual and audible signal in the orbiter cabin to alert the crew to an actual or impending 
hazardous situation. During launch or ground operations, caution and warning signals may also 
be displayed by the GSE (ground support equipment). Backup measurements and displays may be 
required for the crew to diagnose or interpret the caution and warning signals. 

The caution and warning system will transmit emergency, warning, and caution type data. 
Those classifications are defined as follows: 

Emergency .- That condition or situation which creates an immediate crew hazard and which 
requires immediate, instinctive crew action. An example on other programs has been fire or 
rapid loss of cabin pressure. 

Warning .- That hazardous condition which in and of itself can cause loss of vehicle or crew and 
which requires crew action. An example could be premature arming of solar panel deploy 
mechanisms. 

Caution .- That hazardous condition which, in combination with other system failures, may cause 
loss of vehicle or crew if uncorrected. 

The payload developer (subject to review and concurrence by the STS operator) will determine 
when it is not feasible to eliminate a hazard by design. He will also be responsible for that 
portion of the caution and warning system on the payload side of the interface. This will 
generally consist of the sensing or detecting devices used to measure safety critical parameters, 
the electrical circuitry for powering the measuring devices, and the circuitry for carrying the 
resulting signals to the STS interface. The payload developer may also have responsibility for 
furnishing the controls for safing the payloads and command overrides for safety critical 
functions. 

Associated Hazards .- Design is the most desirable method to eliminate or reduce hazards to 
acceptable levels. Where this is not possible, the next best measure is to provide the crew with 
a caution or warning to which a crew response is necessary if an out-of-tolerance condition 
exists or if a failure is imminent. Caution and warning systems of this type have been provided 
on previous manned space programs for use when immediate action is needed to correct a 
hazardous situation, to actuate emergency backup systems, or to permit escape from the 
vehicle. 

The guidelines listed in this section are suggested methods of assuring that the crew has 
adequate information to react to potentially hazardous situations. The guidelines, however, are 
not to be taken as NASA requirements. 

Safety critical conditions or potentially dangerous situations include the following examples: (I) 
fire, smoke, or high temperature sources signaling impending fire; (2) overpressurization of 
pressure vessels signaling impending explosion or rupture; (3) the presence of toxic, corrosive, 
or explosive vapors; (4) leakage of radioactive materials; and (5) critical electric distribution 
points for detecting over or under voltage and current. The choice of a detector (measurement 
device) is primarily dependent on its ability to produce accurate and reliable information 
regarding real hazardous conditions with no false indications under any environmental 
conditions. 
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The caution and warning guidelines contained in this section are limited to those which are the 
responsibility of the payload developer, if should be pointed out that there are numerous other 
design safety criteria for caution and warning elements and operations which are the 
responsibility of the STS operator. Because of this dual responsibility and the critical nature of 
this subsystem in protecting the crew and flight hardware, joint decisions will be required to 
determine type and quantity of parameters to be monitored and transmitted and the safety 
controls and override provisions necessary for particular payloads. 
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3.2.1 Design 

3.2.1. 1 C&W (Caution and Warning) Elements 

a. The generation of erroneous signals should be minimized to 
protect the crew from irritation and eventual lack of confidence in safety 
critical data. 

b. An inhibiting function capability should be provided in each 
sensor circuit to isolate a single malfunctioning sensor and permit normal 
operation of all other sensing units. 

c. Emergency controls used for shutdown, safing, alarm, or correc- 
tive action should be clearly marked, visible, and readily accessible to 
operating personnel. 


3.2. 1.2 


C&W Parameters 


a. Typical candidates for C&W parameters are itemized as follows. 
The list is not complete because there is no universal list of C&W 
parameters for all payloads. It may, however, be of assistance to a payload 
developer who may have to consider the inclusion of C&W as part of his 
payload development. 

(1) Atmospheric contamination - to detect leakage, spillage, or 
release of toxic gases, fluids, or particulate matter. 

(2) Overpressurization of pressure vessels - to detect potential 
rupture or explosion where practical by measurements of pressure, tempera- 
ture, strain, or other means. 

(3) Thermal overheat - where potential overtemperature con- 
ditions and safe limits are exceeded in safety critical heaters, bearings, 
thermal insulation, thermal controls, etc. 

(4) Radioactive or electromagnetic radiation leakage. 

(5) Other potentially hazardous elements or conditions which 
may be harmful to the crew and are possible candidates for C&W parameters 
include: (a) critical electrical system over and under voltages and currents, 
and (b) inadvertent or incorrect operation of a laser system. 


3 . 2.2 


Flight Operations 


The C&W system should be active during those periods when the hazard 
potential exists and the flight crew is in close proximity to the payload. 
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3 . 2.3 


Ground Operations 


a. During ground operations, provisions should be made to allow 
end-to-end checks of the C&W system's functional paths. If possible, the 
checkout capability should include sensor function, range, and sensitivity. 

b. The payload portion of the C&W system should be active during 
hazardous ground checkout involving personnel in the vicinity of the payload 
or STS. 
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3.3 CRYOGENICS 


System Description .- The technology of cryogenics concerns itself with the processes and 
phenomena in the temperature region below -100 C (-150 F). Within this definition, there are 
12 gases that liquefy in this temperature region; namely, oxygen, fluorine, nitrogen, argon, 
helium, krypton, xenon, neon, methane, ethylene, ethane, and hydrogen. 

Cryogens may be required in the operation of various payload subsystems. They can be used as 
propellants in propulsion systems or attitude control systems, as reactants in fuel cells, and as 
pressurants and coolants in various applications for payload systems and experiments. 

System elements associated with the safe containment, delivery, and control of cryogens and 
that require special design and procedural considerations include pumps, storage vessels, 
transfer lines, seals, vent valves, relief valves, quick disconnects, and insulation. Important 
design considerations include materials compatibility, dimensional contraction, impact 
sensitivity, condensation accumulation, cleanliness requirements, purge procedures, disposal 
constraints, and chilldown techniques. 

Associated Hazards .- The potential hazards affecting the design, handling, and operations of 
cryogenics systems may be divided into four general categories. These categories are: 

1. Personnel exposure to extreme cold or to toxic or inert gases .- Liquid or low temperature 
gas will produce effects on the skin similar to a burn. This will vary with temperature and 
exposure time, but the eyes can be damaged by very brief exposure to cold gases. Prolonged 
inhalation of cold gas, whether respirable or not, can produce serious lung disorders. Most 
liquefied gases have low toxicity, but adequate ventilation is essential because a small amount 
of liquid can rapidly convert to a large volume of gas depleting the normal oxygen content and 
can create a breathing hazard. In sudden asphyxia, such as from inhalation of pure nitrogen, 
unconsciousness is almost immediate. 

2. Reactivity of the particular cryogenic fluid .- An atmosphere containing more than the 
normal 21 percent oxygen by volume increases the hazard of fire. Combustion is the process of 
a fuel reacting with an oxidizer; any increase in the percentage of oxidizer increases the chance 
of a fire. It also increases the intensity of a fire once it has started and can even involve 
materials normally regarded as being relatively nonflammable. The rapid expansion of 
cryogenic methane, ethylene, ethane, or hydrogen when released in the ambient atmosphere can 
quickly create an explosive situation. 

3. Low temperature environment effects on mechanisms and structural materials,- 
Water or moisture around cryogenic systems create special hazards. The moisture condensed 
from the atmosphere may freeze mechanisms and render them inoperable. Uninsulated vent 
lines can cause the formation of liquid air during fill operations with liquid hydrogen, neon, or 
helium. This formation could prevent normal operation of the vent system by clogging lines 
with frozen air. Also of special concern are the effects of cryogenic temperatures on the 
physical properties of the materials of the cryogenic subsystem and other system elements that 
are in close proximity. Line and pressure vessel ruptures may result from embrittlement of 
materials at cryogenic temperatures. Leakage may result from dimensional contraction at 
flange and fitting seals. 

4. High pressure potential arising from confinement of liquids and gases .- Because of the 
great increase in volume of a cryogen as it vaporizes, it is necessary to provide pressure relief 
valves at strategic points within the cryogenic system. Each pressure vessel or section of line, 
hose, or pipe that may become isolated and entrap cryogen gas/liquids should be protected by a 
pressure relief device. 
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The safety guidelines contained in this section deal specifically with the elimination or control 
of cryogenic hazards. For broader guideline coverage, reference should be made to section 
3.11, PRESSURE SYSTEMS, which covers the generic type safety guidelines relative to 
pressurized gases and liquids. 
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Design 

General 


Explosion, Fire, 
Contamination 


Temperature 

Extremes 


Explosion, 

Temperature 

Extremes 


Explosion 


Fire, 

Contamination 


Explosion 


Contamination. 

Explosion 


Corrosion, 

Illness, 

Contamination 


Explosion 


a. Cryogenic pressure systems should be marked for easy and 
immediate identification. Procedures for safe access, monitoring, servicing, 
and maintenance differ significantly, depending on the chemical and physical 
characteristics of the fluid. 

b. Tank outlet and inlet markings should designate whether the 
working fluid is vapor or liquid. The hazard potential of opening the system 
will differ significantly for pressurized vapors and liquids. 

c. Payload cryogen tank thermal protection systems and tank 
overpressure vent capacities should be designed for maximum heat rates 
during ground tanked, in-flight operational, or STS orbit modes including the 
post abort landing heat soak mode. 

d. Systems for cryogenics should be free from dirt, lubes, metallic 
debris, and impurities. System cleanliness is particularly important in 
cryogenic systems since impurities can become solidified, can cause 
clogging, or can react chemically with the cryogen. 

e. Cryogenic system designs should provide for contraction and 
expansion resulting from the large temperature differentials experienced 
during system servicing and operations. 

f. Cryogenic storage vessels should be provided with sufficient 
redundancy to prevent hazardous overpressurization. Failure of a single 
device could allow pressure to increase to a level that would fail the system 
structurally. 

g. Low points (traps) on cryogenic lines should be avoided to 
prevent accumulation of contaminants. If traps are unavoidable, drains 
should be provided. 

h. Cryogenic fluorine is extremely hazardous. Particular care in its 
use should be exercised. Primary safety considerations of any equipment 
used with fluorine are materials compatibility and cleanliness because of the 
high reactivity of fluorine with most substances. (See paragraph 3.3.l.4.f 
for safety considerations). 

3.3. 1.2 Storage Vessels 

a. The space between the inner and outer shells of cryogenic; 
containers should be evacuated to maintain thermal isolation to prevent 
buildup of pressure between shells. Excessive annular pressure could 
collapse the inner shell or cause a rupture of the outer shell. Any pressure! 
may degrade the insulating qualities of the two-shell design, resulting in 
excessive heat transfer and pressure buildup. 
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GUIDELINES 


3. 3. 1.2 Storage Vessels (continued) 

b. The annular space should be designed with consideration to the 
hazardous effects of potential leakage into the annulus. 

3. 3. 1.3 Venting and Relief 

a. A normal boiloff vent should be provided where practical on 
cryogenic eguipment and should be maintained at a positive (reference to 
ambient) pressure to prevent moisture laden air from backfilling and 
freezing in the vent path. 

b. Cryogenic pressure vessels or tanks should be equipped with fail- 
safe pressure relief capability to prevent tank failure. Typical devices 
providing this capability are pressure relief valves and rupture discs. 

c. Pressure relief devices should be located so that no section of 
the system can be isolated from a relief capability. 

d. Pressure relief disks should be located so that debris fragments 
from the disks, if used, will not impinge on or obstruct adjacent plumbing, 
lines, tanks, cables, or primary structure. 

e. Rupture disks should be selected with burst pressures, at 
specified temperatures, within +5 percent of the desired relief pressure. 

f. Relief valve outlets should be provided with protective devices 
to prevent the entrance of contaminants. 

g. Pressure relief discharge lines should be of sufficient size so that 
they do not restrict the relieving capacity of the safety device. 

h. Venting incompatible fluids through a common line could create 
explosive, combustive, toxic, or corrosive conditions. An analysis should be 
conducted of the potential effluents within a payload to establish safe vent 
and relief passages and procedures for nominal and contingency situations. 


Explosion, Fire, i. Relief devices should be far enough from the tank so that they do 

Loss of Entry not ice up, freeze over, and become ineffective. 

Capability 
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3.3. 1.4 


Materials Compatibilil 


a. Materials that encounter cryogenic fluids should be selected to 
ensure against structural failure through extreme temperature changes and 
operating temperatures. 

b. Materials for cryogenic service should be selected for compat- 
ibility with the specific cryogen and its particular physical and chemical 
properties. 

c. All materials used in liquid oxygen systems should be evaluated 
for impact sensitivity. MSFC-SPEC-106, "Testing Compatibility of Mate- 
rials for Liquid Oxygen Systems," establishes acceptance criteria of 
materials for use in liquid oxygen and provides a method to be used in 
determining the impact sensitivity of such materials. Use of organic 
materials should be eliminated or reduced to a minimum. 

d. Transducers in contact with any cryogen should have damping 
oils omitted and should be calibrated as "dry" units. 


e. Filter elements for use in liquid oxygen systems should be made 
of non-oil bearing bronze, Monel or other nonferrous materials to avoid fire 
or explosion from hydrocarbon contaminants. 

f. If fluorine must be used because of some special property, the 
following safety considerations should be observed: 

(1) The requirements of NASA C2-72064, "Fluorine System 
Handbook," should be followed. 

(2) Surfaces in contact with fluorine should be free from 
foreign materials. 

(3) Welding processes should use inert gas shielding or electron 
beam techniques to minimize contaminants. 

(4) Silicone or hydrocarbon base oil filled differential pressure 
transducers should not be used because of the violent reaction with fluorine 
if a seal failure occurs. 

(5) Reaction with frost at service points can be prevented by 
using an externa! shroud with a continuous inert gas purge. 

(6) Controls for pressurized fluorine systems should be by 
remote means to protect the operator. 

(7) Special care should be taken to avoid contamination of the 

atmosphere with the salts of fluorine since these fine powders can he 
extremely dangerous if ingested. 
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Materials Compatibility (continued) 


(8) Fluorine should not be vented through the common STS 


vent system. 


3.3. 1.5 


Controls 


Explosion, Fire 


Explosion 


Contamination, 
Fire, Explosion, 
Illness/Injury 

Explosion, Fire 


Contamination, 

Explosion 

Illness/injury, 

Corrosion 


a. Manual control handles of cryogenic valves should be insulated so 
as not to be hazardous (e.g., frostburn or frostbite) to an operator. 

b. Shutoff valves should not be installed in series with safety relief 
valves. An erroneously closed shutoff valve could prevent relief of 
hazardous pressures. 

c. Valve housing design should prevent vapor pressure buildup to 
dangerous levels as a result of cryogen leakage into the housing. 

d. When payload vent or dump is required, the valves should be 
remotely controlled from the orbiter or from the ground to provide means of 
exhausting residual cryogens to vacuum prior to retrieval by the orbiter. 

3.3.2 Flight Operations 

a. Components in liquid oxygen systems should be maintained at a 
cleanliness level acceptable for safety system operation. MSFC-SPEC- 1 64, 
"Cleanliness of Components for use in Oxygen, Fuel, and Pneumatic 
Systems," is an example of minimum cleanliness levels acceptable for LO2 
system operation. 

b. Toxic, flammable, or corrosive fluids should only be relieved to 
locations safe for disposal. This could include overboard dump locations or 
special holding tanks for later disposal. 

c. Special hazardous gas detection equipment may be necessary in 
habitable areas where there is a possibility of the accumulation of toxic, 
flammable, or corrosive cryogens. This equipment may be provided by the 
STS or in specific cases may be a payload developer responsibility. 


3.3.3 


Ground Operations 


3.3.3. 1 General 

a. Liquid hydrogen should be stored in closed containers under 3 to 
10 psig pressure to prevent backflow of air into the system. 

b. Equipment that has contained liquid fluorine or any toxic or 
corrosive liquid should be purged with dry inert gas (helium preferred) and 
evacuated to assure removal of the residual fluids. 
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3.3.3. 1 General (continued) 

Explosion 

c. Dye penetrants should not be used for liquid fluorine tank 

inspection. 

Explosion 

d. Welding or any hot work should not be done on or near a system 

containing any of the reactive cryogenics. 

Explosion 

e. Electrical equipment within 50 feet of a reactive cryogenic 

facility should be explosion proof. 

Explosion, Fire 

f. Hazardous gas detection equipment should be used in areas where 

there is a possibility of free fuel or oxidizer accumulation. 

Explosion, Fire 

g. The discharge from vacuum pumps handling hydrogen should be 

ducted to suitable vents to preclude accumulation of combustible vapors. 


3. 3. 3. 2 Test and Checkout 

Explosion, 

Temperature 

Extremes 

a. The design and structural integrity of cryogenic pressure vessels 

and components should be demonstrated safe by pressure tests. 

Temperature 

Extremes 

b. Cryogenic systems should be tested under operating environ- 

mental conditions for structural integrity and freedom from leakage. 

Temperature 

Extremes 

c. Testing systems with cryogenic fluids is extremely hazardous and 

should only be controlled and monitored remotely using precautions similar 
to those for gas leak and pressure testing. 

Contamination 

d. A post-test vacuum purge should be conducted to eliminate 

cryogenic fluid entrapment in valves and other system components, and the 
system should be filled with an inert gas at 5 to 10 psig to preclude system 
contamination. 

Explosion 

e. Hydrostatic test fluids for use in cryogenic oxidizer or other 

systems with LOX (liquid oxygen) clean requirements should pass the LOX 
impact sensitivity test. 
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3.4 ELECTRICAL 

Syste m Descr i ption .- The payload electrical subsystem starts at the interface connector 
between the experiment or payload and the orbiter and includes all electrical/electronic 
components within that package. Unique portions of the electrical system such as pyrotechnic 
circuits are covered in the pyrotechnics section, caution and warning has its own section, and 
controls and displays are found in the human factors section. These electrical subsystem 
components include connectors, batteries, circuit breakers, cables and wiring, control circuits 
parts/components/elements, and power systems (including grounding and power distribution 
system). 

Components like cables and wiring, batteries, control circuits, etc., are of concern to the 
developer only up to the interface furnished by the integrator. Interconnecting cables between 
payloads, between orbiter and the payload, between IUS (interim upper stage) and payload, and 
between pallet and payload are furnished by the integrator and are controlled by the ICD 
(interface controlling document). In the earliest stages of conceptual design, the integrator will 
obtain information for payload electrical interface definition to determine the payload 
interface connector requirements, pin assignment, etc. This information will be published in the 
electrical ICD. Given this interface, the developer also must design and manufacture his 
instrument to be safe in all environments to which it will be subjected. The electrical 
relationship of one subsystem to another within a payload involves all circuits (power, signal, 
command, etc.). Undesirable effects on the circuits include EMI (electromagnetic interfer- 
ence), magnetic, and radiation. Diode isolation, line filters, wire shielding, twisted wiring pairs, 
and separation of signal wiring from command or power wiring are typical good design practices 
used to minimize these effects. 

Interfaces external to a payload are also quite varied. All the above mentioned factors exist at 
each interface (i.e., payload-to-payload, payload-to-pallet, payload-to-orbiter, etc.). Each 
payload, therefore, should be in compliance with the interface requirements of the next higher 
assembly. Likewise, GSE should be in compliance with applicable interface requirements. 

Associated Hazards .- The electrical system can affect a crewman directly by electrical shock 
or by burns in the event of touching overheated wiring or components. Indirectly, however, the 
electrical system can cause all types of hazards. For example, a battery explosion could be 
caused by an internal short or excessive heating caused by failure of a charger to regulate 
properly. Batteries contain explosive gases which are caustic as well as toxic. Fire could 
readily result from a failed or improperly selected circuit breaker. High temperature, either by 
equipment failure or inadequate design, could result in toxic outgassing of materials. High 
temperature in wiring could melt insulation causing fire and/or circuit crossover to pyrotechnic 
circuits or actuators resulting in untimely deployment or actuation. Such events could damage 
the orbiter, other payloads or could injure personnel if they were standing adjacent to such a 
mechanism. Radiation could become a hazard to a crewman if a laser were turned on because 
of failure of interlock circuitry or a circuit crossover. 

EMI can penetrate cables leading to circuitry and can cause resets, inadvertent start of timing 
sequences, squib ignition, etc. The man-machine interface requires certain interlocks and 
sating devices specifically to prevent flight and ground crews from accidently or unknowingly 
initiating an unwanted event. EMI, which a payload may generate but be insensitive to, may be 
a significant hazard to other payloads, the pallet or module, and even the orbiter itself. 

The following electrical guidelines are provided to assist the payload developer in creating an 
instrument as free from crew and ground handling hazards as possible. 
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3.4.1 Design 

3.4. 1. 1 Connectors 

a. Connectors which are mismated in the process of installation can 

cause considerable damage to the connector and to the experiment which it 
powers. In the act of mismating a connector, there is a possibility of 
unwanted actuation of automatic events, firing pyrotechnics, etc., which in 
turn could result in damage to the orbiter, injury to personnel, and other 
unwanted events. The following considerations are presented to help 
eliminate the more common causes of mismated connectors: 

(1 ) Plugs and receptacles should be marked or coded to prevent 
mating in the wrong orientation. 

(2) Plugs and receptacles should be shaped, keyed, or 
restrained so that it is physically impossible to mismate with adjacent 
connectors. 


Electrical Shoe 


Electrical Shoe 
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Contamination 
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(3) Connector shells should have guides so that alignment 
occurs without trial-and-error scraping of pins across the female contact to 
find the alignment position. 

b. Access to power should be only through female contacts or 
sockets; the male contact or pin should be without power when unmated. 

c. Connectors which are scheduled to be mated or demoted by the 
crew during normal in-flight operations should be provided with power 
removal capability when the load is sufficient to result in pin damage from 
arcing. 

d. Connectors are susceptible to the environment in many ways . 
Moisture, loose particles and other forms of contamination can bridge the 
small gap between pins in a connector if these surfaces are left exposed. 
Corona can occur between connector pins at reduced atmospheric pressure. 
Wire flexing eventually can cause an unrestrained connection to break at the 
connector pin. The following will help reduce the occurrence of these 
hazard-producing failures: 

(1) Connector back shells should be environmentally sealed or 
potted with an approved material to avoid particle contamination or 
breakdown of dielectric due to moisture. Wires should be strain-relieved to 
avoid breakage due to flexing. 

(2) Connectors should have tethered caps, plugs, or covers to 
protect against contamination or damage when unmated. 

e. Connectors used within the habitable areas of the spacecraft 
should have self-locking devices. The use of safety wire is undesirable 
because of loose particles and sharp wire ends. 








3 . 4-4 




3.4 

ELECTRICAL 


SECTION NO. 






Explosion, Fire 


3.4.1. 1 


GUIDELINES 


Connectors (continued) 


f. Receptacles whose mating plugs have locking features requiring 
a twisting motion (bayonet or threaded types) should be positively keyed or 
pinned to their mounting surfaces so that it is physically impossible for the 
receptacles to turn during plug attachment. 

g. Power circuits should be designed so that power receptacles and 
connectors located in or used with equipment containing flammable vapor or 
liquids should be incapable of initiating an explosion by sparking or arcing. 

h. Payload connectors, internal or external to the orbiter, should be 
designed to eliminate the possibility of potential damage to crewman life 
support equipment because of stray electrical voltage or current. 

3.4. 1.2 Batteries 


a. 

power: 


The following are typical battery types for payload sources of 


o Carbon-zinc 

o Gelled electrolyte 

o Magnesium-air 

o Mercury-zinc 

o Nickel-cadmium 

o Nickel-hydrogen 

o Nickel-zinc 

o Silver-cadmium 

o Silver-zinc 


The list includes both wet and dry cells, and sealed and vented type 
batteries. Many off-the-shelf batteries require additional enclosures, vents, 
connectors, and markings to make them safe. Batteries should be selected, 
designed, or modified to be fully qualified for the environments to which 
they will be exposed during their intended missions. 


Explosion, Fire, b. Regardless of the type battery selected, the primary hazards are 

Contamination the buildup of hydrogen and oxygen and expulsion of electrolyte. These 
conditions can be overcome by incorporating the necessary design features 
and close control of charging and discharging. Mixed hydrogen and oxygen 
to certain confined volumes and mixture ratios in the presence of an ignition 
source can result in an explosion. Electrolyte is caustic and electrically 
conductive. Expulsion of electrolyte can result in a short circuit leading to 
battery discharge and heating which could result in an explosion. 
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3. 4. 1.2 Batteries (continued) 

The following safety guidelines should be considered in the design of battery 
cells and battery cases: 

(1) Cells should be designed to minimize the probability of 
electrolyte escaping. 

(2) Wet cell batteries should have positive pressure relief 
capability for each cell. 

(3) Cells should contain the minimum amount of electrolyte 
leakage in zerogravity. 

(4) Cell cases should be designed to avoid access of electrolyte 
to vent mechanisms to help prevent electrolyte ejection. 

(5) Cell design should include analysis/tests to determine 
structural capabilities. Annealing of molded plastic cases may be required 
for stress relief. 

(6) An installed battery (single or multiple celled) should be 
enclosed within a case which will prevent electrolyte leakage into the 
surrounding area in the event of damage to any of the battery cells. 

(7) Battery cases for vented cell systems should be designed to 
contain all electrolyte during overpressure conditions such as those caused 
by overload or internal shorts. 

(8) A battery case constructed of metal should be internally 
coated to be resistant to electrolyte attack and the coating should be 
electrically nonconductive. If a vent plug is installed, it should be 
electrically isolated from the case by use of an insulating insert. 

(9) Battery cases with vent plugs should incorporate provisions 
to help prevent ejection of accumulated electrolyte, i.e., porous plug, 
standpipes, etc. 

(10) Free volume within battery cases should be decreased to a 
minimum to reduce the accumulation of gas. 

(11) When battery case vents are used, they should be located to 
preclude damage to adjacent equipment or injury to operating personnel. 

(12) Battery cases should not be vented into the habitable areas 
of the spacecraft. 

(13) Exposed circuitry such as relay contacts should not be used 
inside or adjacent to the battery case. Such components often cause 
sparking and arcing and can ignite the gaseous mixture which a battery 
emits. 
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3.4. 1.2 Batteries (continued) 

(14) Batteries should be designed to preclude polarity reversal 
when installing connecting terminals. Decals or markings should clearly 
indicate positive and negative terminals where lug and bolted terminal 
connections are used. 

(15) Battery connections to main busses should not be of 
dissimilar metals as corrosion between mating surfaces would likely result. 

(16) Battery connections to main busses should be coated or 
sealed to prevent exposure of terminals to ambient environment to avoid the 
effects of moisture. 

(17) Batteries should not be connected with a load applied as 
sparking and arcing could result. 

(18) Battery cases should be marked to indicate the type of 
electrolyte and should refer to the appropriate activation and safety 
procedures. 

3.4. 1.3 Circuit Breakers/Circuit Protection Devices 

Temperature a. A circuit breaker or similar protective device should be provided 

Extremes, Fire, in each payload to prevent an overload in one payload from affecting other 
Electrical Shock payloads, interfacing equipment, or the orbiter. 

Temperature b. Circuit breakers should be sized (or set) to protect the smallest 

Extremes, Fire, wire within all branches of a circuit. Adjustable type circuit breaker 
Electrical Shock settings should have tamperproof settings. 

Temperature c.. Circuit breakers should trip and protect the circuit even if the 

Extremes, Fire, switch lever is physically held in the "ON" position. Circuit breakers should 
Electrical Shock provide a visual indication when tripped. 


Explosion 


Temperature 
Extremes, 
Explosion, 
Electrical Shock 


d. Circuit breakers located in or used with equipment containing 
flammable vapors or liquids should be sealed against these elements to 
qualify the breakers as explosion proof. 

e. A redundant circuit should not share the same circuit breaker 
with the primary circuit. 


f. Circuit protection devices should be sized (or set) so that the 
combination of current and time at which the device operates will not cause 
the operation of protective devices between the circuit breaker and power 
source. 
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3.4. 1.4 Cables and Wiring (continued) 


(1) The use of a single or multipoint shield ground based on the 
interference signal frequencies, the length of the transmission line, and the 
relative sensitivity of the circuit to high or low impedance fields. 


(2) The use of single point shielding, which is effective for 
short shield lengths. Multipoint shielding, in general, solves most shield 
grounding problems if there are no large ground currents present in the 
shield. 


(3) The use of twisted wire pairs to reduce magnetic coupline 
below 5 kHz (kiloHertz). A highly conductive copper braid shield should be 
added over the twisted pair, and the shielding should be terminated at the 
potential of the ground plane to reduce electrostatic coupling. 

Collision, Loss 
of Orbiter Entry 
Capability 

i. The communication subsystem components should be electrically 

shielded from the electrical power components to prevent electrical 
transients from inserting errors into telemetry data leading to misinterpre- 
tation of payload subsystem status, particularly on automated payloads (free 
flyers). 

All 

j. Power and signal (including command) wiring should not be 

routed through the same cable, cable bundle or wiring harness. This practice 
may result in voltage induction into adjacent circuits. Induced voltage can 
be strong enough to fire squibs, reset ^circuit logic, actuate devices, etc. 

All 

k. Shielding to protect against induced voltage for frequencies 

below 50 kHz should be continuous through all connectors and should be 
grounded at only one end. Above 50 kHz, shielding should be continuous 
through all connectors and should be grounded at both ends. 

Electrical Shock 
Temperature 
Extremes, Fire 

1. Wiring splices are undesirable. Splicing allows an unknown 

quantity of additional single point failures. If splices are required, they 
should be witnessed, inspected, and recorded as specified in JSC Design 
Standard No. 88 or equivalent. 

Electrical Shock 
Injury 

m. When power or signal grounds are connected to structures, all 
grounds should be carried back to the orbiter payload power interface point 
(see section 3.4. 1.6. k, Power Systems). 

Electrical Shock 
Fire, 

Temperature 

Extremes 

n. Single strand solid wire should not be used in locations where it 

may be subjected to flexing as it could break. 

Electrical Shock 
Fire, 

Temperature 

Extremes 

o. The use of wire smaller than 22 gauge should be avoided because 

of its susceptibility to breakage during handling and vibration. 
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Fire, 

Temperature 
Extremes, 
Electrical Shock! 


All 


Contamination, 

Corrosion 


Corrosion, 
Temperature 
Extremes, 
Electrical Shock 

Temperature 

Extremes, 

Fire, Electrical 
Shock 

Electrical Shock! 
Temperature 
Extremes 

Explosion, 
Temperature 
Extremes, 

Fire 


3.4. 1.3 Circuit Breakers/Circuit Protection Devices (continued) 

g. Circuit protection devices should be used in all GSE current- 
carrying conductors which connect to flight hardware (power, control, 
signal, and returns). 


3.4. 1 .4 Cables and Wiring 

a. Wiring penetrations should be potted, sealed, or similarly 
protected against shorting by materials floating in zerogravity environment 
and against the effects of liquid leakage or condensation. 

b. Electrical wire or cable insulated or coated with Teflon TFE 
(polytetrafluoroethylene) or FEP (fluorinated ethylene propylene) should be 
etched prior to potting to assure mechanical bond strength and environ- 
mental seal. Unetched TFE or FEP wire insulation will not bond properly, 
and moisture can penetrate within the connector causing dielectric 
breakdown between pins. 

c. Potting must be accomplished within 3 weeks after etching or 
the bond strength will deteriorate. 


d. When etching of insulation is required, the process specification 
should specify that the bare conductor portion of the wire must not be 
exposed to the etchant and that there are no pinholes in the insulation. 


e. Cabling and/or wiring exposed to the extreme temperature 
environment of space should be capable of being flexed without damage. 


f. Cables and wiring should be configured, located, clamped, and 
supported to eliminate any possibility of mechanical stress on wires, wire 
terminations and connectors, or contact with liquid lines and to remain clear 
of sharp edges and moving parts. 


Temperature g. Wires and cables should not be identified or marked by hot 

Extremes, stamping directly onto the insulation as this may reduce the integrity of the 

Electrical Shock, insulation and cause embrittlement. 

Fire 

Collision, h. Critical and hazardous systems should be adequately shielded 

Explosion from RF radiation which can cause possible equipment malfunctions, can 

initiate ordnance devices, and can present vital communication functions. 
Design safety consideration should be given to: 








Electrical Shock, p. Electrical cable installations should be designed with sufficient 

Temperature flexibility, length, and accessibility to permit disconnection and 

Extremes, Fire, reconnection of connectors without damage. 

Explosion 

All q. Electrical wiring insulation should meet the applicable 

environmental, flammability, and chemical compatibility requirements. 
Teflon TFE (per MIL-W-22759) and Kapton polyimide (per MIL-W-8I38I) 
have been tested and found to meet the flammability requirements. 
Polyvinyl chloride (PVC) should not be used. 

All r. Circuit breaker/wire gauge size compatibility should be 

established by analysis. 

All s. Precautions should be taken in clamping, bending or otherwise 

stressing Teflon covered wire as shorting caused by insulation cold flow 
could result. 

3.4. 1.5 Control Circuits 

All a. When redundancy is required, the redundant control circuit 

components should be independent of those components used in the primary 
control circuit. 

All b. When redundant control circuits are necessary, primary and 

redundant control circuit wiring should not be routed through the same cable 
or connector. 

All c. When redundant control circuits are necessary, primary and 

redundant circuits should not be supplied from the same branch power bus or 
circuit breaker. 

Electrical Shock d. Electrical shock protection circuits should be provided where 

hardware operation requires electrical interface with the crewman. 

All e. Redundancy should be considered where relays are used in 

critical control systems. 

All f. Self-test circuits should indicate the actual system response 

rather than indicate only the initiation of a command or test signal. 

All g. System indicators used to monitor system status should indicate 

the actual system response rather than indicate only the initiation of a 
command or application of power. 

All h. Control circuits should include an in-flight checkout capability to 

verify the independent operation of each circuit. 
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Control Circuits (continued) 


i. Redundant control circuits which control hazardous functions 
should include a self-test or checkout capability. 

j. Safety critical circuits, such as a heater circuit which could 
experience thermal runaway in operation, should be designed fail-safe. 


k. Equipment should revert to a safe configuration when an input 
power loss, overvoltage, or undervoltage condition occurs. 

l. When heating elements are incorporated in ovens or similar 
environmental chambers, consideration should be given to redundant 
automatic heater shutoff devices (independent of primary temperature 
controlling devices) that require manual reset. 

m. Equipment should be provided with an accessible single main 
power on-off switch which will remove all power (other than input power to 
the main switch) from the equipment when the switch is placed in the off 
position. 

Electrical Shock, n. Circuitry having capacitors which could discharge hazardous 

Injury current levels should be provided with a bleed-down circuit. 


Collision, 

Injury 


Fire, 

Temperature 

Extremes 

Explosion, Fire 


Collision, 

Explosion, 

Injury 


o. Redundant circuit protection devices should be used where 
opening of the primary device would result in a hazard. 

p. Circuits (including latching relay circuits) should be designed to 
preclude inadvertent operation due to voltage transients. 

q. When heaters are used primarily for temperature control of 
experiment components, consideration should be given to independent 
circuits for temperature sensing, control, and overtemperature protection. 

r. Electrical and electronic components located within consoles, 
panels or similar equipment enclosures containing or exposed to flammable 
gases, vapors, or liquids should be explosion proof. 

s. Circuit breakers or switches used to control equipment or 
circuitry intended for emergency purposes should have positive protection 
against inadvertent operation. 

t. Loss of control circuit power should not result in the loss of 
capability to determine the status of the payload. 

u. Operating range and performance limits for experiments should 
be specified in the design. 
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3. 4. 1.5 Control Circuits (continued) 

Collision, 

Temperature 

Extremes, 

Contamination 

v. Cleanliness level and contamination control requirements of 

electrical/electronics should be specified in the design. 

All 

w. Automatic relays in safety critical circuits for switching to 
backup power should respond also to the gradual loss of primary power. 


3.4. 1.6 Power Systems 

All 

a. Capability should be provided to remove electrical power from 

each experiment interface without affecting the operation of other 
experiments or systems to permit load selection during emergency 
conditions. 

Fire, 

Electrical Shock 
Explosion 

b. The power system overload protective devices should also pro- 

, tect the ground support equipment against damage resulting from a 
spacecraft power system malfunction. 

All 

c. Redundant power distribution buses should not be routed through 

the same connector as a single failure may cause a loss of both buses. 

Electrical Shock 
Injury 

, d. Barrier isolation and warning markings should be provided for 

power sources. 

Electrical Shock 
Injury 

, e. A power removal interlock should be provided which is activated 

by removal of access panels or covers during servicing. 

Electrical Shock 

f. Test points should be provided for safe status monitoring. 

Electrical Shock 

Illness/Injury, 

Radiation 

, g. All external parts of the RF equipment, excluding the driven 

elements of the antenna and transmission lines, should be at ground potential 
at all times to prevent undesired radiation and injury to operating personnel 
from accumulated charges, accidental connections, and stray potentials. 

All 

h. Direct current returns should not be disconnected or isolated 

from the single point ground connection to the spacecraft structure during 
any mode of system, experiment, or other payload operation as voltage 
transients, EMI, and electrical shock are a few of the hazards which could 
occur. 

All 

i. Module, experiment, and other payload cases should be electri- 

cally grounded so that a fault current (based on maximum short circuit 
current that may result from available power within individual equipment) 
may be safely returned to the spacecraft single point ground. 
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Electrical Shock 
Collision 


3.4. 1.6 Power Systems (continued) 

j. Negative control or switching in the power return leads of a 
component should not be used unless the positive lead is switched simulta- 
neously. An application of this would be reversal of a motor. 

k. Power and signal returns for flight systems, experiments, or 
other payloads should be isolated from the chassis and should be routed 
through connectors or terminals to a single point ground termination for 
interface with the spacecraft single point grounding system. 

l. To reduce EMI problems caused by improper or inadequate 
grounding, the following practices are recommended: 

(1) Bare metal mating surfaces should be cleaned. 

(2) Mating surfaces should be welded when possible; when not, 
bonding straps should be used to bridge between adjacent pieces of metal. 

(3) Where protective films or coatings are required, it should 
be ensured that the material is a good conductor. 

(4) The fastening method should be designed to exert sufficient 
pressure to hold the surfaces in contact in the presence of deforming 
stresses, shock, and vibrations associated with the equipment and its 
environment. 

(5) If the surfaces are not inert in their storage and operating 
environments, surface protection should be provided according to paragraph 
(3) preceding or other suitable measures should be taken to ensure the main- 
tenance of the bond for the service life of the equipment. 

(6) Paint should not be used to establish an electrical or RF 


RF bonds. 


(7) Threads of screws or bolts should not be used to establish 


gaskets. 


(8) Ohmmeters should not be used to evaluate RF bonds or RF 


(9) RF gaskets should be compressed. 

(10) A uniform grounding philosophy should be ensured. 

(11) Ground loops, impedance coupling and floating grounds 
should be checked. 
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Power Systems (continued) 


(12) Good electrical bonding practices for ground terminations 
should be ensured. 


All 


m. Plug-in tools for use in spaceflight should be compatible with the 
spacecraft electrical system single point ground (see ICD for details). 


All 


3.4. 1.7 Parts/Components/Elements 

a. Conformal coatings which place stress on glass diodes should not 
be used. In other applications, the thickness of conformal coating should be 
closely controlled to prevent stress on components resulting from shrinkage. 


Corrosion, b. Positive provisions should be specified in the design to preclude 

Electrical Shock seepage of conformal coatings into electrical interfaces in stud-mounted 
semiconductor installations. 


All 


All 


All 

All 


All 


All 


c. Circuit boards, terminal boards, switches, relays, and similar 
components should be potted, sealed, or similarly protected against the 
effects of liquid leakage or condensation and against shorting by materials 
floating in zerogravity environment. 

d. Electrolytic capacitors such as tantalum wet slug or aluminum/ 
paper should not be used in timing circuits or circuits where capacitance 
must remain stable with changing voltage. 

e. Electronic parts and leads should be configured to provide for 
relief of strain due to thermal expansion and contraction. 

f. . Point-contact, grown-junction or alloy-junction semiconductors 
should not be used. In general, semiconductors made prior to 1962 are of 
poor reliability because of physical internal construction, low temperature 
tolerance, high leakage currents, etc. If it is necessary to use any semi- 
conductors of this vintage, it should be demonstrated that crew safety will 
not be adversely affected by failure of these components. 

g. Component selection should be such that the setting, position, or 
adjustment of controls will not be affected by shock, vibration, or accel- 
eration resulting from launch, separation, or on-orbit operations. 

h. Equipment requiring adjustment during operation should have 
external adjustment provisions. 


All 


i. When ultrasonic vibration is used for cleaning sensitive elec- 
tronic assemblies, consideration should be given to potential adverse effects. 





PAYLOAD SAFETY GUIDELINES 



3.4. 1.7 Parts/Components/Elements (continued) 

j. Polyurethane conformal coatings containing solvents which 
dissolve polystyrene should not be used on circuit boards containing poly- 
styrene components. A solvent compatibility check should also be conducted 
to determine compatibility with the printed circuit board materials. 

k. Positive mechanical means should be specified in the design to 
ensure adequate contact pressure is maintained at stud-mounted semi- 
conductor connections. 


l. CMOS (complementary metal oxide semiconductor) and other 
static sensitive circuit components should be avoided in safety critical 
circuits where static discharge, including lightning, is unavoidable. Such 
lightning conditions are common at KSC, and previous programs such as 
Viking have experienced a high mortality rate of installed and operating 
CMOS components because of lightning striking in the vicinity of buildings 
where the components were in operation. 

m. Terminal lugs and insulated washers used with stud-mounted 
semiconductors should have sufficient matching surface area to ensure that 
the terminal lug will remain insulated from the mounting structure. 


All n. When electronic components which are sensitive to static 

discharge are prepared for shipment or environmental protection, caution 
should be used to avoid material which will induce static electricity. 

Contamination o. Previous experience has shown that sheeting and bagging 

materials used for protecting flight hardware are susceptible to outgassing 
of plasticisers at near room ambient conditions. A thorough understanding 
of the materials used will avoid the undesirable effect of outgassing. 

Contamination p. Care should be used in selecting an inert atmosphere for shipping 

and storing electronic components. Certain items such as video tubes will 
absorb helium through the vacuum seal and then not operate when they are 
to be depended upon. 

3. 4. 1.8 General 

Collision, Injury, When payloads require the use of magnets, the magnetic strength should be 
■e investigated for compatibility with orbiter / payload systems. 


Contamination 








3 . 


AFETY GUIDELINE: 



GUIDELINES 


3.4.2 Flight Operations 

Electrical Shock a. Connectors which are scheduled to be mated or demoted by the 

Explosion, Injury crew during normal in-flight operations should have power removed at the 
circuit breaker panel or switch, and power removal should be verified by 
positive means prior to demoting or mating. 


Electrical Shock 

Collision, 

Explosion 

Electrical Shock 
Injury 

Electrical Shock 
Explosion 


Electrical Shock, 
Explosion 

Electrical Shock 
Explosion 


b. Circuit breakers for a particular system should not be engaged 
until the system is needed or as late as possible. This reduces the possibility 
of short circuits, crew shock, inadvertent actuation, etc. 

c. Connection and disconnection of solar panel connectors should 
not be done when panels are illuminated. Solar intensities can generate a 
high current level, and sparking and arcing could occur. 

d. Solar panel connectors should not be mated or demoted until it is 
verified there is no load connected. 


3.4.3 


Ground Operations 


a. Connection and disconnection of solar panel connectors should 
not be done when panels are illuminated. Some levels of artificial illumi- 
nation can cause arcing at the connector pins. 

b. Solar panel connectors should not be mated or demoted unless it 
is verified there is no load connected. 

c. Contemporary space age electronic circuitry is very susceptible 
to burnout or circuit degradation from exposure to small electrostatic 
charges. These are easily built up on plastics, insulation, clothing, paper, 
containers, packing material, etc. The effect is further aggrevated by low 
humidity. Caution is necessary to prevent discharge of any of these sources 
of static electricity into sensitive circuitry. 
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3.5 ENVIRONMENTAL CONTROL 

System Description .- The environmental control consists of thermal insulation, heaters, 
furnaces, coolant loops, automatic and manual temperature controls, and cooling fans as needed 
for payload thermal control, it does not include the life support and waste management system 
for the habitable areas on the orbiter. 

The environmental control system will interface with pressure systems and electrical sub- 
systems when payloads require coolant loops, heat exchangers, refrigerants and their related 
controls. The environmental control system also interfaces directly with payload structures as 
the payload should not transfer heat into the orbiter structure. Payload equipment generating 
heat should also be insulated to prevent overheating of adjacent components and payload 
structures. Thermal measurement sensors may be necessary to alert the crew of impending 
overtemperature conditions and the need for corrective action. 

Associated Hazards .- The hazards associated with the environmental control are contamination, 
corrosion, fire, illness, injury, and temperature extremes. Insulating materials which shed 
particles can cause contamination problems in equipment in zerogravity and will contaminate 
the atmosphere in habitable areas. Leaks of toxic refrigerants into habitable areas can 
contaminate the atmosphere and lead to crew illness. Materials susceptible to moisture and 
high humidity may corrode, grow fungus, or cause electrical problems progressing to equipment 
failures and crew hazards. Inadequate or lack of remote control capability of heaters can lead 
to fires or temperature extremes and failures of essential equipment. Furnaces must be 
adequately shielded to protect personnel from burns and they should contain adequate controls 
for venting and emergency shutdown. Thermal insulation should be provided to protect orbiter 
structure from temperature extremes caused by heat transfer from heat generating sources. 

This section includes guidelines for selection and use of materials or components in the use 
environment where high humidity, moisture, vibration, and shock will be encountered. Other 
sections which should be reviewed for additional information are sections 3.2, CAUTION AND 
WARNING, 3.1 I, PRESSURE SYSTEMS, and 3.15, STRUCTURES. 
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Illness/Injury 


Corrosion 


Collision 


Temperature 

Extremes 


3.5.1 Design 

3.5. LI General 

a. Operating equipment such as pumps, fans, motors, gearing, 

actuators, and electrical components should not produce noise levels in 
habitable areas causing crew annoyance and discomfort. Excessive noise 
levels contribute to crew error or can cause permanent hearing loss. The 
maximum allowable noise levels of experiments should not exceed the noise 
criteria standards contained in "Man/System Design Criteria for Manned 
Orbiting Payloads" (MSFC-STD-5 1 2). 

b. Materials should be selected which are not nutrients for fungus. 

The Kennedy Space Center has a natural environment with favorable con- 
ditions for moisture and fungus growth. Experiments in habitable areas 
should not provide a source of fungi contamination. Materials which are 
nutrients to fungus should be hermetically sealed or treated to render the 
exposed surfaces fungus resistant. 

c. Materials sensitive to moisture which can induce corrosion or 
electrical problems should have adequate protective coatings. 

d. Payload equipment should be designed to withstand the use 
environment and should be subjected to simulated environmental tests. 
Shock mounts and vibration isolators should be provided as necessary. 

3. 5. 1.2 Thermal Insulation 

a. Thermal insulation may need to be provided on payload/orbiter 
physical interfaces to minimize heat transfer to orbiter structure. In areas 
where thermal insulation is necessary, thermal coating insulation should be 
used to minimize heat transfer. 


Temperature 

Extremes 


Temperature 

Extremes 


Contamination 


b. Insulation should be used on pallets to minimize heat transfer to 
the structure. This should be designed for ease of installation and removal 
to provide thermal control for the attached experiments. 

c. Insulation should be used to protect flammable fluids from heat 
sources. They should also be used in areas where thermal conditions can 
heat surfaces to which the crew will be exposed or which provide sources of 
ignition. 

d. Materials selected for use as thermal insulation should not react 
chemically with fluids. They should be selected on the basis of their 
nonabsorbent, nonflammable, and nonshedding characteristics. 






DEUNES 


ENVIRONMENTAL CONTROL 


3.5. 1.3 


Heaters 


a. In equipment requiring heaters, consideration should be given to 
use of redundant control circuitry to prevent overtemperature. 


Temperature 
Extremes, Fire 


Fire, 

Contamination, 

Temperature 

Extremes 

Fire, 

Temperature 

Extremes, 

Illness 


b. The design of equipment requiring automatic heater control 
should contain provisions for automatic shutoff for off-nominal high 
temperature conditions. 

c. Temperature sensors should be provided as necessary to indicate 
overtemperature conditions or when safe limits are exceeded. Automatic 
shutoff devices should be provided to shut off the input energy sources. 

d. Equipment such as furnaces which must operate at high tempera- 
tures in the presence of flammable materials should be provided with 
purging and fire suppression devices. Purging provisions should vent 
combustion products and gases outside the habitable area. 

e. Incubators used for bacterial studies should be designed with the 
means to remove the power when temperature limits are exceeded. 
Mechanical or procedural controls should be available to prevent inadvertent 
release of bacteria. 


Contamination, 


f. Materials selected for use in heaters, furnaces, and other 
thermal equipment should not emit toxic fumes or foul odors into the 
habitable area. 


3.5. 1.4 


Thermal Control 


Injury, 

Temperature 

Extremes 


Temperature 

Extremes 


a. In designing experiments to be installed in habitable areas for 
crew operations, the touch temperature of front panels and controls should 
not exceed 45°C (I I3°F). 

b. In designing thermal controls using coolant loops, refrigerants 
should be selected which are nontoxic and nonflammable. Coolants should 
be selected for thermal and physical characteristics over the entire 
operating range and should be compatible with the metals and materials of 
heat exchangers, piping and pumps. 

c. Heat sensitive components should not be located in high tem- 
perature areas or adjacent to equipment radiating heat. 

d. When fans are used to circulate coolant air, manual controls 
should be included to deenergize the fan for servicing and also for fire 
control. 
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3. 5. 1.4 Thermal Control (continued) 


Injury 


Injury, Fire 


Injury, 

Temperature 

Extremes 

Contamination 


Temperature 

Extremes, 

Contamination 

Temperature 

Extremes, 

Contamination 


e. Equipment exposed to space environments in sealed canisters 
which will be retrieved should labeled with appropriate caution and warning. 

f. Cooling ducts, fans, cold plates or coolant loops should be 
located to provide uniform and adequate cooling without creating "hot spots" 
which can lead to fire hazards or potential crew injuries from burns. 

g. Debris guards, screens, filters, and similar protective devices 
should be located at inlets to ducts, mounted fans, coolant pumps, and other 
similar components to prevent clogging of these devices. 

h. Heat exchangers should be located outside habitable areas to 
minimize heat loads and to eliminate one source of potentially hazardous 
leakage of fluids. 

i. To minimize leakage, the use of B-nuts in fluid lines of thermal 
control equipment should be avoided. Maximum use of brazed or welded 
joints is preferred. 

j. Coolant loop connect and disconnect fittings should be keyed and I 

marked to remove the possibility of incorrect line connections. j 


Flight Operations 
None 


Contamination 


3.5.3 


Ground Operations 


Coolant loops should contain provisions for accessible fluid loading and 
contamination control during ground operations. 
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3.6 HUMAN FACTORS 

System Description .- Human factors include those potentially hazardous interfaces between 
man and machine. Human capabilities and limitations are prime safety considerations when 
evaluating the design safety of hardware which requires human operation or handling. Elements 
of payload equipment which require direct human interfaces are represented by controls 
(switches, breakers, levers, knobs, etc.), displays (gages, meters, cathode ray tubes, etc.), and 
equipment requiring ground and flight crew operations for maintenance, servicing, repair or 
replacement, and normal operations. 

The human capabilities and limitations which are important factors to be considered in the 
design of safe equipment involve the senses of sight, hearing, and touch. Others deal with 
human characteristics such as physical strength, reach limits, manual dexterity, and reaction 
time. 

The environments in which human beings are expected to operate must be considered for factors 
which affect human safety. For example, adequate lighting must be provided for efficient 
visual perception. Noise levels must be minimized since high noise levels can reduce crew 
efficiency, can contribute to performance errors, and can even cause permanent loss of hearing. 
High frequency low amplitude vibration is often detrimental to the performance of mental and 
physical tasks. The unique effects of weightlessness must always be considered during on-orbit 
operations. Various types of harmful radiation sources also affect human safety. Radiation 
safety guidelines are covered in detail in section 3.14 of this document. 

Associated Hazards .- The basic hazards associated with the human interfaces with hardware 
involve crew injury or illness from electrical shock, burns from contact with exposed high 
temperature components, cuts and bruises from contact with sharp edges or moving parts, and 
ingestion of small loose objects or space debris. Other basic hazards such as fire, explosion, or 
contamination can be caused by human error or by inadequate hardware design or operations 
which contribute to human error. 

To minimize the effects of these human interface hazards, the following contributors to human 
error must be considered in the design and operation of payload elements: 

a. Excessive physical demands. 

b. Unnecessary distractions. 

c. Inadequate or unnecessary display of information. 

d. Difficult, complicated, and dangerous tasks. 

e. Harsh or unpleasant working environment. 

The guidelines contained in this section outline various methods to avoid these human interface 
type hazards. They are organized by payload hardware elements which are directly operated, 
handled, or interfaced by the crewmen. For further information regarding human capabilities 
and their influence on design safety, reference should be made to "Man/System Design Criteria 
for Manned Operating Payloads" (MSFC-STD-5 1 2) and "Human Engineering Guide for Equipment 
Designers," Library of Congress Catalog Card No. 54-8698. 
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Injury/Illness 


Temperature 

Extremes 


Explosion 


Electrical Shock 


3.6.1 Design 

3. 6.1. 1 Controls and Displays 

a. It is preferable not to use glass or other shatterable materials on 

manned spacecraft. If these materials must be used in applications such as 
gages, indicator faces, cathode ray tubes, etc., they should be covered with 
solid materials such as Lexan polycarbonate to protect the crew from broken 
particles. 

b. Equipment which could cause burns by inadvertent personnel 

contact should be shielded, isolated, oriented away from personnel, or 
labeled to warn them of the danger. The continuous touch temperature of 
front panels and controls requiring manual operation should not exceed 45 C 
(I I3°F). Equipment which may retain heat in excess of this limit should not 
be located where personnel contact is possible or should be labeled to warn 
the crew of this hazard. 


c. Electrical and electronic components located within consoles, 
panels, or similar enclosures containing or exposed to flammable vapors or 
liquids should be explosion proof. If any such flammable material is allowed 
onboard the manned spacecraft, it should be contained in nonflammable 
equipment enclosures. 

d. Conductive surfaces of equipment touched by the crew (knobs, 
handles, levers, switches, panels, etc.) should be grounded and insulated to 
preclude personnel shock or burn. Also, such equipment should not be 
located close to high voltages. 


Injury/Illness e. Viewfinders and similar crew sighting equipment should 

incorporate filters or automatic aperture controls to limit the amount and 
type of light seen by the crewmen to avoid retinal damage. 

All f. Adequate lighting is essential for the efficient visual 

presentation of information and to ensure safe task performance by crew 
personnel. MSFC-STD-512 represents the prime source of design and safety 
criteria for the proper illumination of equipment and areas. 

Injury/Illness g. Noise can cause annoyance and discomfort, can reduce the 

efficiency of crew performance, can contribute to crew error, and can even 
cause permanent hearing loss. The maximum allowable noise level of 
experiments and payload elements should not exceed the noise criteria 
standards contained in MSFC-STD-512. 
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3.6. 1.1 Controls and Displays (continued) 


Injury/Illness 


Injury/lllness 


All 


All 

Injury/Illness 


All 


All 


h. Controls, indicators, and displays (especially emergency or 
contingency type controls for sating, alarm, or corrective action) should be 
clearly marked and labeled and should be readily accessible to operating 
personnel to indicate the system function for each switch position or 
operation. 


i. Any control function which could cause personnel injury if 
operated at the wrong time should be identified in the design, and 
precautions should be taken to minimize this type hazard. 

j. Identical controls, such as switches located on the same panel, 
should be distinctly identified or specifically marked and should not be 
located near each other when these controls perform different functions and 
improper switch selection could result in a hazardous situation. 

k. Control switches requiring coverguards should have the 

coverguard designed or switch nomenclature located so that the position of 
the switch can be determined without moving the coverguard. 

l. The use of switches which do not indicate their on-off positions 
should be avoided. An example of this type switch includes a self-latching 
function switch, such as a pushbutton switch, which may be operated without 
indicating the switch position during the power-off phase. Another type to 
be avoided is a spring-loaded-to-center switch which controls latching 
relays. 


m. Payload controls which are critical to crew or shuttle safety 
should be shielded, guarded, or located so they cannot be accidentally struck 
or moved. 


n. The size, shape, spacing, and location of control switches, 
handles, levers, etc., should allow for human capabilities and limitations 
when operating these devices. For example, if a crewman is wearing a 
spacesuit and gloves at the time, allowances should be made for his 
restricted movements and limited dexterity in manipulating control devices. 


Injury/lllness 


o. The setting, position or adjustment of controls should not be 
affected by shock, vibration, or acceleration resulting from space vehicle 
launch, docking operations, deployment handling or deorbiting and landing. 
Methods to accomplish this could include the use of detents, keyed shafts, 
locking devices, tension springs and switch guards. 


All 


p. Handles, knobs, and levers on rotary controls should be keyed or 
shaped to prevent turning on their shafts. Also each rotary control assembly 
should be keyed or pinned to its mounting surface to prevent simultaneous 
rotation of the handle, shaft, and control assembly. 
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Controls and Displays (cont inued) 


Injury/illness 


I njury/ 1 1 1 ness 


Injury/Illness 


All 


q. Handles, knobs, latches, levers, etc., requiring alignment or 
adjustment should have alignment indices or visible markings to ensure 
proper alignment and adjustment including realignment in flight. The 
alignment markings should be visible without removal of any component. 

r. Washers or spacers used in conjunction with knobs, handles, 
locking pins, and similar devices should be designed to prevent unintentional 
removal. The presence of debris in zerogravity can create a hazard ranging 
from minor irritation to a crewman to failure of an orbiter system function 
due to jamming or interference with its component parts (ingestion into 
rotating machinery). 

s. Redundant automatic shutoff devices should be provided for 
equipment where the buildup of energy could result in a catastrophic 
situation. Examples of such equipment are turbines which could run away, 
ovens, or similar environmental chambers incorporating heating elements 
and pressurization systems. 

t. As a design goal, direct pressure readout gages should not be 
used. A rupture or failure of the gage or feedlines would release the 
measured fluid or gas into the area under full-line pressure, and the 
operating personnel could sustain injury from flying objects released from 
the failed gage. Pressure transducers are an excellent replacement for 
direct readout gages. 


Injury/ll Iness 


u. If the use of direct pressure readout gages is unavoidable, these 
gages should incorporate proper sized blowout plugs. The blowout plug 
should be positioned so that the direction of discharge will not injure 
personnel or damage adjacent equipment. To prevent contamination of the 
area, a pressure relief valve, instead of the blowout plug, could be installed 
at the gage and an overboard drain line connected to the relief valve. Also, 
the panel plate or bracket used to mount direct pressure readout gages 
should not interfere with the operation of the blowout plug. 


All 


v. Instrument displays should provide accurate, legible, and clear 
information for use by crewmen to interpret correctly equipment 
performance and status and to react as necessary to continue operation of 
this equipment. 
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3. 6.1. 1 Controls and Displays (continued) 


All 


Injury/Illness 


All 


All 


Injury/lllness 


All 


w. Pressure gages, temperature gages, and similar readout devices 
should indicate normal system operating conditions in the center 50 percent 
of the total range of the gage or device. 

x. System indicators used to monitor status should indicate the 
actual system response rather than the initiation of the command or the 
application of power. An example of this could be the indication of actual 
extension of an antenna rather than just the command to extend. 

y. The identification and marking of payload components should 
include color coding to indicate marginal or hazardous range limits. 
Accepted orbiter standards for color coding are MIL-STD- 1 247B for flight 
equipment, MIL-STD-IOIB for ground equipment, and MIL-STD-1472 for 
orbiter cabin equipment. 

z. To assist the operating personnel in correct interpretation of 
information, all control and display nomenclature should use standardized 
words, abbreviations, symbols, and acronyms which are commonly 
understood throughout the Space Shuttle Program. 

aa. Containers such as film containers which may be pressurized 
(usually with inert gas) should have a positive pressure indicating device. 
Opening containers which are under positive pressure could result in injury 
from flying covers or doors. Also, a device should be provided to sense 
leakage of an appreciable amount of inert gas into an inhabited area to avert 
possible hypoxia problems. 

bb. Caution and warning placards, labels, decals, and tape should be 
properly positioned, plainly visible, and should display the necessary 
information to protect the crew from impending hazardous situations. The 
following caution and warning aids should be considered: 

(1) Labels and placards should be plainly visible under both 
light and dark conditions. 

(2) Caution and warning indicator lights should be located to 
be readily visible to crew members at their stations. 


(3) Alarms should be located so they can be heard directly by 
the crewmen. 
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3.6. 1. 1 Controls and Displays (continued) 

(4) Examples of parameters and elements on which placards or 
labels are necessary include high voltage sources, rotating machinery, 
pressurized containers, explosives, flammable materials, critical operations 
which should or should not be performed, load limits, etc. 

3. 6. 1.2 Other Equipment Interfaces 


GUIDELINES 


I njury/ 1 1 1 ness a. The use of ductile materials, energy absorbing devices, shields, 

rounded corners, and flush mounted features is recommended to eliminate or 
prevent accidental contact with sharp surfaces or protrusions. Sharp 
surfaces or protrusions include edges, crevices, points, burrs, wire ends, 
screw heads, corners, brackets, rivets, braided cable, cable swages, cable 
strands, clamps, pins, latches, lap joints, bolt ends, lock nuts, etc., which if 
contacted, could injure the crew. Areas where exposed surfaces or 
protrusions can be especially hazardous are the inhabited areas of the space 
vehicle, transfer tunnels, hatchways, and the areas of the payload bay when 
extravehicular activities will be performed. 

Injury/ll Iness b. If protruding equipment such as hoses, wave guides, cables, 

brackets, etc., cannot be eliminated, it should be made to be removable 
during service or maintenance functions. 


Contamination 


c. When not in use or during temporary removal, loose objects such 
as caps, screws, access doors, tools, locking pins, knobs, handles, lens covers, 
and similar devices should be contained or restrained. It is also 
recommended that these items be tethered or held captive to the equipment 
with which they are used. 


Contamination d. Chains, beaded links or similarly segmented devices are not 

recommended for use as tethers or restraints since they add to the potential 
for debris and loose objects. 

Injury/Illness e. Drawers should be equipped with restraining devices and stops to 

prevent accidental opening or removal of the drawer. 


Fire 


f. As a fire suppression measure, payload equipment which is to be 
installed in manned compartments should be accessible to manual fire 
extinguishers. 


Injury/I I Iness 


g. Openings (slotted or otherwise) in cabinets, covers, and similar 
enclosures through which fire extinguisher nozzles, levers, shafts, and other 
controls operate should be provided with nonflammable protective covers, 
boots, or sliding plates to prevent injury or equipment damage resulting from 
inadvertent insertion or entry of foreign objects. If ventilation holes are 
used in equipment housing covers, they should be screened or caged to 
preclude inadvertent insertion of any object which might touch high voltage 
sources or moving parts. 
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Injury/ 1 1 1 ness 


Injury/lllness 


Electrical Shock 


Electrical Shock 


Contamination 


Injury/lllness 


Injury/Illness 


Injury/lllness 


Injury/lllness 


Injury/lllness 


Injury/lllness 


DELINES 


Other Equipment Interfaces (continued) 


h. Handles, controls, and fasteners for mechanisms such as hatches, 
access doors, folding platforms, or legs should be designed with sufficient 
clearances to prevent injury to fingers and hands. Allowances should be 
made for a crewman wearing gloves or a spacesuit (see MSFC-STD-5 1 2). 

i. Wherever possible, equipment requiring adjustment during its 
operation should have external adjustment provisions, 

j. The sizes and shapes of equipment enclosing covers or cases 
should be carefully considered to preclude damage to wiring and other 
components when the cases are removed or replaced. Wire damage could 
result in short circuits and possible shock hazards to the crew. 

k. Racks, chassis, and compartments which contain exposed termi- 
nals and similar components should be clearly marked or placarded to 
indicate the highest operating voltage potential present. 

l. Any equipment which supplies or releases a gas which can be 
inhaled should include a filter as the last component in the line. The 
breathable atmosphere should be free from particulate matter to preclude 
possible ingestion of such matter. 

m. Alignment guide pins or slides should be located on panel, 
drawer, and chassis subassemblies to prevent their contact with exposed 
terminals during installation and removal operations. 

n. The use of friction-type locking pins should be avoided in 
applications where repeated cycling could degrade their locking capabilities. 

o. Moving parts such as fans, belt drives, turbine wheels and similar 
components that could cause personnel injury or equipment damage due to 
inadvertent contact or entrapment of floating objects should be provided 
with guards or other protective devices. 

p. Pressure vessels, pressure lines and other hazardous equipment or 
components should be protected from damage by dropped tools, slipping 
wrenches, drills, or overlength bolts and screws. 

q. Installed assemblies (black boxes, etc.) should be provided with 
debris shields to prevent entrapment of small pieces of equipment or debris 
behind the assemblies. 

r. Guards or covers should be provided over all termination points 
where voltage potentials exist in excess of 35 volts rms or dc with respect to 
ground if access is possible with voltage applied. 
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3.6. 1.3 Tools 

a. Payload servicing, maintenance, or repair tools should meet the 

following criteria to minimize the possibility of crew injury or adjacent 
equipment damage. 

(1) Common commercial tools should be used whenever pos- 
sible. Complex tools should be avoided. It is an STS design goal to provide 
commonality of tools for all elements. 

(2) Temporary restraints should be used for individual tools to 
prevent misplacement or loss in a weightless environment. Only essential 
tool accessories should be specified since items such as ratchets, extensions, 
pins, etc., are easily lost. 

(3) The torque values for all threaded fasteners and fittings 
should be specified in the design, and assembly, installation, and test 
personnel should be well trained to follow these requirements. 

(4) For spares replacement and contingency maintenance, 
storage bags, restraining straps, instructional decals, tape, spare nuts and 
bolts, fasteners, sealants, etc., should be provided. 

3.6.2 Flight Operations 

None 

3.6.3 Ground Operations 

None 
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3.7 HYDRAULICS 

System Description .- Hydraulic systems consist primarily of pumps, actuators, reservoirs, 
control valves, filters, lines, connectors, and hydraulic fluid. The safety guidelines in this 
section cover generally only these component types which are unique to hydraulic systems. 

The choice of hydraulic fluid for a particular application should be carefully made since it will 
influence the design and operational characteristics of the system which in turn will affect 
system safety. For example, some fluids are fire resistant while others are not. Some fluids 
work well at low temperatures but not at elevated temperatures. Others may have toxic or 
corrosive properties. These and other properties of various hydraulic fluids are shown in Table 
3.7-1. These characteristics may be useful to the payload designer in selection of hydraulic 
fluids. 

Associated Hazards .- The primary hazards associated with hydraulic systems involve the 
unplanned release of pressurized fluids by leakage or rupture and by failure or inadvertent 
response to commands due to system deficiencies or malfunctions. Misoperation during test and 
checkout or maintenance, due to operator error or inadequate procedures, can also be hazardous 
and can result in injury to personnel or damage to equipment. 

Leakage or rupture of a hydraulic system may initiate a chain of events resulting in loss of a 
critical control function such as may be required to retract a payload element back into the 
orbiter payload bay. It could result in a fire if the leaking or lost fluid is flammable and 
contacts an ignition source in the sensible atmosphere. If a system bursts or an explosion 
occurs, metal fragments may strike and injure crewmen or may damage a critical STS 
component which may compound the failure. The release of hydraulic fluid may result in 
electrical malfunctions due to shorting of contacts or connectors. The fluid may have toxic 
properties and affect exposed personnel to respiratory, eye, or skin irritation, or burns. 

Internal failure of a hydraulic system may be caused by unchecked contamination because of 
clogged or mislocated filters. Bubbles may form in the fluid lines because of poor sealing, or 
components may seize. The results of these malfunctions may cause erratic response of servo 
devices or control valves which could further result in system failure to perform some critical 
function. 

The following guidelines indicate how such hydraulic system hazards may be eliminated or 
reduced to acceptable levels. 

The design, test, and operational requirements of hydraulic systems, and the various properties 
and qualities of hydraulic fluids are covered in detail by MIL-H-5440F. The orbiter baseline 
hydraulic fluid specified in MIL-H-83282A is also recommended for use on payload applications. 
For more complete guideline coverage, reference should be made to section 3.11, PRESSURE 
SYSTEMS, which covers all generic-type safety guidelines relative to any pressurized system. 
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TABLE 3*7-1 . - HYDRAULIC FLUID CHARACTERISTICS 



VI SCO sity 
RANGE 


VISCOSITY 

INDEX 


TEMPERA- 

TURE 

LIMITS 


FIRE RE- 
SISTANCE 


PHOSPHATE 

CHLORINATED 

ESTER BASE 

HYDROCARBON 

1.08 to 

1.30 to 

1.35 

1.45 

Low to 

Low to 

high 

high 

Low to 

Low to 

high 

high 



WATER SOLUBLE W ATER IN 

GLYCOL OIL IN OIL 

WATER EMULSION 



(FROM AFSC DH1-6 DESIGN NOTE 4C2) 
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3.7.1 Design 


3.7.1. 1 


General 


a. Hydraulics system components should operate safely when 
subjected to the simultaneous extremes of temperature, pressure, vibration 
shock loading, and other environmental conditions which will be experienced 
during all phases of an operational mission. 

b. Hydraulic systems should be integrated with other systems to 
minimize hazards caused by proximity to combustible gases, heat sources, 
electrical equipment, etc. A single failure in any such adjacent system 
should not cause a hydraulic system fire. 

c. Redundant hydraulic components or subsystems should be physi- 
cally separated for maximum safety against damage from fire, rupture, 
shock, or any hazard which could affect both segments. 

d. Hydraulic lines, drains, and vents should be separated from other 
high energy sources including heat, gases, electrical current, and chemicals. 


e. The choice of which hydraulic fluid to use in a particular 
hydraulic system will affect all elements of design and can be highly 
important from a safety standpoint. The orbiter baseline hydraulic fluid is 
specified by MIL-H-83282A, and the various design and operating require- 
ments for hydraulic fluids are specified in MIL-H-5440F. The following 
hydraulic fluid characteristics should be considered to assure compatibility 
with system design and operations: 

(I) Fire resistance. 


(2) Compatibility with seals, gaskets, fittings, hoses, etc. 

(3) Temperature range for effective operation. 

(4) Lubricating compatibility with moving parts. 

(5) Corrosive properties. 

(6) Stability. 

f. Parts of a hydraulic system or attached subsystems that operate 
on pressures lower than the full system pressure should withstand full system 
pressure. If this is not practical, relief valves should be added for protection 
of such components. 

g. Peak pressures (surges, spikes, ripples) should not be allowed to 
exceed 135 percent of the main system's operating pressure (unless program 
requirements specify otherwise). 







3.7.1. 1 General (continued) 

h. The operating temperature range of a hydraulic system should be 
established early in the system design because of the impact this parameter 
will have on the selection of critical components such as hydraulic fluid, 
pressurizing gas if used, oil coolers, gaskets, seals, valves, and servos. 
Embrittlement of seals, erratic valve and servo operation and deterioration 
of the hydraulic fluid are examples of hazardous interactions caused by 
excessive temperatures. 


i. Hydraulic equipment or lines should not be located 
inhabited areas of the space vehicle. 


withir 


j. Hydraulic system components and lines should be electrically 
bonded to metallic structure. 

3.7. 1.2 Pumps and Actuators 

a. Hydraulic pumps should be protected from damage by the use of 
overload devices, bypass relief devices, vibration sensitive cutoff switches, 
pump suction pressure interlocks, and overload controls. 

b. Other safety oriented features which should be considered to 
prevent damage to hydraulic pumps with consequent danger to the crew or 
STS elements include: 

(1) Use of adequately sized bearings to withstand axial and 
side loading. 

(2) Protection of pump from contamination by installation of 
correctly sized filter elements. 

(3) Protection of the pump from cavitation because of low 
fluid levels or leakage. 

c. Design of lock valves used on hydraulic actuating cylinders 
should allow for fluid expansion throughout the anticipated temperature 
range. 

3.7. 1.3 Tubing, Lines, and Hoses 

a. Aluminum alloy, stainless steel, and titanium are prime materials 
for use as hydraulic system tubing and piping. Work hardening of aluminum, 
however, should be guarded against. Copper is not recommended because of 
possible chemical reactions. Galvanized piping is not recommended because 
of the flaking properties of galvanized material. Lines exposed to heat or 
abrasion should be fabricated from stainless steel. 
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3. 7. 1.3 Tubing, Lines, and Hoses (continued) 


Contamination 


Contamination, 

Fire 


b. Straight lines between the two rigid connection points should be 
avoided. Semiloops or flex hoses should be used to ease alignment stresses. 

c. Flex hose should be used between any two connections where 
relative motion can be expected to fatigue metal tubing. 

d. Materials used in flex hose construction should be compatible 
with the particular hydraulic fluid used and with the environment. 

e. Flex hose installations should be made to avoid abrasive contact 
with adjacent structure or moving parts. Rigid supports should not be used 
on flex hose. 


Contamination 


f. Teflon is preferred over rubber for construction of hydraulic 
hose. The advantages of Teflon include: 

(1) Much better compatibility with the hydraulic fluids cur- 
rently in use. 

(2) Chemically inert and anti-adhesive properties. 

(3) A wider operating temperature range. 


3.7. 1.4 Connectors 


Contamination, 

Fire 


Contamination 


Explosion, 

Contamination 


a. To minimize leakage of potentially hazardous fluids, all tube 
fittings, except where system entry points are needed, should be perma- 
nently joined. Welded or brazed construction is preferred over threaded or 
flared assembly. 

b. Friction-type locking devices should be avoided in safety critical 
applications. Safety wiring and self-locking nuts are examples of safe 
design; star washers and jam nuts are examples of poor design. 

c. Retainer or snap rings should not be used in hydraulic systems 
where a "blow apart" failure would result. 


3.7. 1 .5 


Filters 


Explosion, 

Contamination 


Contamination, 


a. Circulating hydraulic fluid should be filtered on the downstream 
side of the pressure pump. Filters should not be installed in the suction side 
of pumps unless test data show that pressure drops will not interfere with 
system operations. 

b. Pump case drain fluid should be filtered before it is allowed to 
enter the return side of the system. 
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Contamination, 
Fire, Explosion 

Explosion, Fire, 
Loss of Orbiter 
Entry Capability! 


Contamination, 
Fire, Corrosion 


Explosion, Fire, 
Contamination, 
Injury 


Explosion, Fire, 
Injury 


Contamination 


Explosion, Fire 


3.7. 1.5 Filters (continued) 

c. Test points or vents are prime sources for system contamination 
and should be protected by downstream filters. 

d. Standard safety criteria state that critical hydraulic systems 
should be essentially free from contaminants of larger particle size than will 
pass through a 10 micron filter. Critical hydraulic systems would include 
those used to extend, retract, or deploy payloads beyond the payload bay 
moldline. Failure of such a system could affect the orbiter's capability to 
return to Earth. 

3.7. 1.6 Seals and Gaskets 

The hydraulic system's sealing materials should be selected on the basis of 
the type of hydraulic fluid used, its temperature and pressure, and the type 
motions required of the seal. 


3.7. 1.7 


Reservoirs 


a. Hydraulic fluid reservoirs should be operable in a weightless 
environment and should not rely on gravity feed. The reservoirs should be 
equipped with shutoff valves which are operable from a safe distance in the 
event of a hydraulic system emergency. The reservoirs should be designed 
so that they do not become overpressurized. 

b. Hydraulic fluid reservoirs should be isolated from heat sources 
and from other potentially high-energy sources such as pressure vessels. The 
intent is to minimize personnel injury or material damage in the event of a 
rupture. 

Ci Hydraulic reservoir air pressurization lines should include air 
filters located to protect the pressure regulating equipment from 
contamination. Other safety oriented considerations to minimize the 
possibility of contamination include: 

(1) Use of a fluid filter at reservoir filler openings. 

(2) Use of tight-fitting filler caps. 

(3) Avoidance of dip sticks for measuring remaining fluid. 

3. 7. 1.8 Identification and Marking 

a. Components of safety critical systems such as one-way restric- 
tors, flow regulators, and filters should be permanently placarded to indicate 
the correct direction of installation. Arrows on connecting lines are not 
considered sufficient identification for this purpose. 
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Explosion, Fire 


Injury, 

Explosion, Fire, 
Contamination 

Injury, 

Explosion, Fire, 
Contamination 


3.7. 1 .8 Identification and Marking (continued) 

b. The direction of restricted and unrestricted flows should be 
indicated directly on restrictor valves. 

c. Warning placards, safety tape, color-coded labels and similar 
hazard identification material should be located in a clearly visible location 
as close as possible to the affected equipment. 

d. Safety critical test information such as pressure limits, hydraulic 
fluid specification, flow rates, etc., should be permanently posted near test 
points. 


3.7.2 


Flight Operations 


None 

3.7.3 Ground Operations 


3.7.3. 1 Test and Checkout 


Explosion, Fire, 
Injury 


a. Hydraulic systems should be proof-pressure tested as part of 
acceptance for flight use. No part of a hydraulic system should fail, take a 
permanent set, or be damaged in any manner when subjected to proof 
testing. Proof-pressure levels are established by design specification and 
will generally be at least 1.5 times the maximum operating pressure for a 
particular system. 


Explosion, Fire, 
Injury 


b. Hydraulic systems and components should withstand flight 
loading and should retain their capabilities to perform in the operational 
environments. 


Contamination 


c. Test points should be provided so that disassembly for test is not 
required. The test points should be easily accessible for the attachment of 
ground test equipment. The test connectors should be configured to prevent 
cross connection. 


Explosion, Fire, 
Injury 


d. Externally installed test circuits used during onboard checkout of 
hydraulic systems should not bypass system pressure relief devices. 


Contamination 


e. Where necessary, hydraulic system components should contain 
isolation provision to facilitate independent functional and leak checks of 
such components without disturbing the total system. 


Explosion 

Injury 


f. Hydraulic systems should have pressure indicating equipment 
marked to show safe upper and lower limits of system pressure. The 
pressure indicators should be easily visible to the operating crew. 
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GUIDELINES 


Contamination, a. Self-sealing couplings should be provided on installations which 

Fire require frequent disassembly. 

Contamination, b. Ground test and servicing ports not required to function in flight 

Fire should be designed to eliminate leakage during the flight phase. 

Contamination, c. Safety critical hydraulic systems should not require the use of 

Fire special tools for removal/replacement of components unless the use of such 

special tools is unavoidable. 
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3.8 MATERIALS 

System Description .- Although the material section does not constitute a functional subsystem, 
it is a convenient way to group the guidelines for selections and uses of payload materials. The 
guidelines discourage the use of certain metals and nonmetals in payload equipment if they are 
to be stowed in habitable areas or if failure can propagate to shuttle systems. Also contained 
herein are guidelines developed to control the use of materials possessing hazardous properties 
or characteristics in manned spaceflight operations. 

In the confinement of spaceflight habitable areas, toxic products emitted from offgassing 
materials can readily contaminate the limited atmospheric system and can pose serious threats 
to personnel. Gaseous products from fabrics, insulation and adhesives can create nauseating and 
irritating odors. Unrestricted uses of flammable materials also create potential fire hazards. 
When payload equipment is to be stowed in the orbiter cabin, it must receive the same type 
material controls as those imposed on cabin materials as specified in NHB 8060. 1 A, 
"Flammability, Odor, and Offgassing Requirements and Test Procedures for Materials in 
Environments That Support Combustion." The cabin serves as the living quarters and safe haven 
for the crew. The spacelab and payload bay are not considered safe havens nor are they of 
equal importance to the orbiter cabin from a materials flammability and toxicity standpoint. 
Careful consideration, however, should still be given to the characteristics of materials to be 
located in these payload areas; i.e., offgassing, odor, and flammability. 

Integrated payloads will contain fuels, oxidizers, and ignition sources, the three elements for 
combustion. Flame retardant materials should be selected, if possible, and the location of 
flammable materials controlled, to maintain the maximum separation for preventing flame 
propagation. Flammable materials must be prevented from contacting ignition sources by 
selecting specific locations in the payload, where possible (i.e., separation of oxidizers from 
fuels, and oxidizers and fuels from propulsive units or electrical circuitry). Efforts should be 
expended to select materials which are compatible to prevent chemical reactions which may 
lead to a chance occurrence of fire. 

Associated Hazards .- In manned spacecraft operations, hazards associated with payload 
materials are contamination of the atmosphere from material offgassing; the use of flammable 
materials leading to fire or explosion; and in case of metals, corrosive problems. (Metal 
corrosive problems are discussed in section 3.15, STRUCTURES.) Toxic fumes generated by 
offgassing payload materials located in habitable areas can present serious hazards to personnel. 
Material offgassing depositions of contaminants on thermal control surfaces can change the 
thermal characteristics leading to overheating and subsequent component failures. Offgassed 
material condensing on cold surfaces form conductive paths to other components which may 
induce subsequent equipment failures. Offgassed contaminants can fog sensitive optical 
surfaces and can interfere with the operation of interfacing experiments. Use of materials with 
low fire resistant properties for gaskets, seals, lubricants, coverings, insulation, hoses, etc. 
should be avoided as they present fire hazards in manned spaceflight operations, particularly in 
the crew areas where ignition sources and oxygen augment combustion. 

The following guidelines have been developed to identify hazards associated with materials. 
The guidelines are divided into two groups, metallic and nonmetallic materials. The metallic 
group includes metals which have been found to be hazardous in manned flight operations. The 
nonmetallic materials group includes elastomers, adhesives, lubricants, insulating materials, 
chemicals, cleaning fluids, and solvents. In both groups, the guidelines constrain materials for 
use in the habitable areas. Data on nonmetallic materials which have been tested on previous 
programs is documented in JSC 02681, "Nonmetallic Materials Design and Test Data Handbook." 
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3.8.1. I 


Design 

Metallic Materials 


Contamination, 
Fire, Explosion 


Contamination 


a. Aluminum. When selecting aluminum alloys for use with 
cryogenic fluids or gases, oxidizers, or fuels, consideration should be given 
to alloys whose heat treatments and coatings minimize the susceptibility to 
general corrosion, pitting, and intergranular or stress corrosion. Candidate 
aluminum alloys should be reviewed for compatibility with fluids and gases 
in the use condition and operating environment. 

b. Barium. When barium or its compounds are selected for 
payloads, procedures should be established for safe handling and mission 
operations. Barium and its compounds have a significant range environment 
of which toxicity, explosion and fire are possible. Containers with barium or 
its compounds must be properly marked and adequate in-flight storage 
provided. 

c. Beryllium. 

(I) Unalloyed beryllium should not be used in equipment 
carried in habitable areas unless it is suitably coated to prevent erosion or 
formation of salts or oxides. Mist, dust, or fumes containing beryllium are 
extremely toxic. Uncoated alloys containing 4 percent or less beryllium can 
be used. 


Contamination 


(2) If coated beryllium is used in the habitable areas, outgas- 
sing tests under use conditions should be conducted to verify that the 
coating provides satisfactory protection for the beryllium surface. 

d. Cadmium. The use of cadmium and cadmium-plated parts in 
contact with breathing gas or in any low atmospheric pressure environment 
should be avoided. Cadmium will vaporize rapidly at combinations of 
temperature and pressures encountered in spaceflight applications. 
Overheating of cadmium or cadmium-plated parts can severely contaminate 
the atmosphere with toxic fumes. Organic-based paint should not be used as 
an overcoating barrier for cadmium surfaces because of the porosity of the 
coating and the possibility of overcoating damage. Cadmium should not be 
allowed to contact titanium at any temperature because embrittlement can 
result. 


Corrosion 


e. Magnesium. Magnesium alloys should not be used except in areas 
where no exposure to corrosive environments can be expected, and 
protection systems can be maintained with ease. Their uses should be 
avoided in areas subjected to wear, handling abuse, foreign object damage, 
abrasion, erosion, or in areas where fluid or moisture entrapment is possible. 
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3.8. 1. 1 Metallic Materials (continued) 

f. Mercury. Mercury should not be used in equipment instru- 
mentation, testing, or calibration of components in habitable areas since it 
is extremely toxic. Mercury and its compounds can accelerate stress 
corrosion of aluminum and titanium alloys. When mercury is required, the 
following information should be documented: 

(1) A list of equipment containing mercury to be used with 
justification for each use. 

(2) The amount of mercury contained in the equipment. 


mercury. 


released. 


(3) How the equipment is protected to prevent release of the 


(4) A defined plan to accomplish decontamination if mercury is 


g. Molybdenum. Molybdenum in alloys in excess of 0.05 percent 
should be avoided for use with fluid and gas systems. The alloys can react 
violently in contact with hydrazine and amine-based propellants when the 
fluid boiling point temperature is exceeded. Without exception, material 
compatibility investigations of these alloys should be performed prior to use. 

h. Titanium. Titanium or its alloys should not be used where they 
can be exposed to liquid or gaseous oxygen exceeding two atmospheres of 
absolute pressure because a violent reaction is possible. Titanium or its 
alloys should not be used where they can come in contact with methanol. 
(Methanol may react with titanium and lead to stress corrosion.) Titanium 
should not be allowed to come in contact with nitrogen tetroxide with water 
content in excess of 2.5 percent, or a nitric oxide content less than 0.4 
percent as intergranular corrosion can be accelerated and in pressurized 
systems can undergo catastrophic failures. 

Titanium should not be used in contact with cadmium since embrittle- 
ment may ensue. Each environment contacting titanium should be analyzed 
to be certain that it and titanium are truly compatible. 

i. Any materials under stress whose failure can be catastrophic 
should be evaluated for potential failure because of incompatibility of 
materials. For example, the fabrication of tanks for the storage of fluids 
should have tests run using fracture mechanics criteria and techniques to 
assure that it is truly compatible under all anticipated storage or use 
conditions and environments. High performance materials often may be the 
poorest choices for pressurized hydrogen tanks. Only in cases where there is 
documented evidence of fluid-material compatibility should there not be 
fracture mechanics evaluation of the application intended for newly 
fabricated materials. Fracture mechanics tests should be performed when 
documented evidence or data showing fluid-material compatibility does not 
exist. 
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3. 8. 1.2 Nonmetallic Materials 

a. To prevent material failures, elastomer, rubber, and adhesive 
materials should be selected for compatibility with the use environments of 
temperature extremes, resistance to heat aging, polymer reversion, and 
compatibility with the working fluid. 

b. Materials requiring age control, such as the natural rubbers and 
some of the polyester urethanes, should be avoided. Their uses may be 
considered where their service life is equal to the service life of the 
equipment, or age control is such that replacement is readily accomplished 
during routine servicing. 

c. Elastomer materials such as Viton and Fluorel should be selected 
for use as molding compounds, conformal coatings, sprayable coatings, and 
sponge materials. These elastomers are flame resistant and maintain their 
elasticity in the space environment. 

d. In safety critical circuits such as pyrotechnics, the use of 
polyurethane conformal coatings containing solvents which dissolve poly- 
styrene compounds and other materials used on electrical circuit boards 
should be avoided. Also, the use of conformal coatings which can 
mechanically overstress components such as glass diodes on safety critical 
circuit boards should be avoided. In general, caution should be exercised in 
the selection of conformal coating materials for safety critical wiring 
boards. Conventional thickness coatings (10-15 mils) (.25-.375 mm) have 
resulted in damage to components and solder connections (use thin coatings 
of 2-4 mils (.05-. I mm) when considered appropriate). 

e. For electronic packages, silicone sealants should be selected 
which will not react with atmospheric moisture to release acetic acid that 
can cause corrosion. 


Contamination 


Contamination 


f. CNR (carboxy nitroso rubber) should not be used as a payload 
material as it liberates appreciable quantities of toxic products when 
exposed to temperatures exceeding 500 F (260 C). 

g. When using RTV (room temperature vulcanizing) silicone seal- 
ants, and adhesives in electronic packaging, adequate cure time should be 
specified to prevent liberation of acids during operation. Nonflammable 
sealants and adhesives should be selected for use on equipment to be located 
in habitable areas. 


Contamination 


h. Extreme care should be used in specifying O-rings and similar 
seals for dynamic applications in cryogenic environments. The use of 
silicone rubber materials should be avoided as they generally become brittle 
at temperatures in the neighborhood of -I84°F (-I20°C). Many generic 
classes of rubber materials become brittle at even higher temperatures. 






ASSOCIATED 
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3. 8. 1.2 Nonmetallic Materials (continued) 

Fire 

i. Silicone elastomer material should be avoided for use with liquid 

or gaseous oxygen since the elastomer acts as a fuel in pure oxygen. 
Materials which contain oil or carbon content should be avoided for use in 
oxygen systems. Chlorinated polyether resins or polyformaldehyde materials 
should also be avoided for use in oxygen systems. 

Contamination 

j. In selecting nonmetallic materials to be used as gaskets, seals, 

O-rings, and packing for oxidizers, propellants, gases and chemicals, these 
materials should be investigated thoroughly for compatibility to prevent 
material degradation, chemical disassociation, or violent reactions with the 
working fluid. 

Contamination 

k. Materials for seals, gaskets, and O-rings should not cold-flow in 

the use environment which may produce leaks of hazardous fluids. 

Contamination 

1. Lubricants should be selected for use with materials on the basis 

of valid test results confirming the suitability of the composition and the 
performance characteristics for each specific application including 
compatibility with the anticipated environment. 

Explosion 

m. Petroleum based lubricants should not be used in liquid oxygen 
systems as they react violently. 

Explosion 

n. Chlorinated fluorocarbon lubricants should not be used in 

applications where they may come in contact with aluminum or aluminum 
powder as violent reactions result. 

Contamination 

o. Lubricants to be used with O-rings or seals, should be selected on 

the basis of compatibility with the composition of the elastomer in the 0- 
rings or seals, and with the fluid being sealed. 

Contamination 

p. Minimal and nonirritating offgassing properties should be con- 

sidered when selecting materials for sealants, gaskets, O-rings, hoses, 
lubricants, insulation, and adhesives for use in habitable areas. In the 
design, materials which have to be subjected to offgassing tests should be 
specified. 

Contamination 

q. For equipment to be used in habitable areas, wire insulation, ties, 

identification markers, and protective coverings should be selected that are 
nonflammable and will not generate toxic fumes when overheated from 
electrical malfunctions. 

Contamination 

r. The use of PVC (polyvinyl chloride) should be avoided. Outgas- 

sing products of PVC are hazardous and generate products of hydrochloric 
acid, phosgene, carbon monoxide, carbon dioxide, chlorine monoxide, and 
acidic carbonaceous coke. The plastic has a low ignition point; in vacuum, it 
loses plasticizers and becomes brittle. 
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3.8. 1.2 Nonmetallic Materials (continued) 

Fire 

s. When Teflon is used on experiments to be located in the 

habitable areas, it should be assured that no organic materials such as 
pigments have been added which can cause Teflon to burn. Flammability 
tests should be required when an untested pigment is added to Teflon. 

Fire 

t. Hoses made with dichioroethane should not be used in habitable 

areas where lithium hydroxide is used for CC^ control. Dichioroethane 
mixed with lithium hydroxide generates acetylene which is highly flam- 
mable. 

Fire 

u. Highly reactive chemical fluids which can produce toxic fumes or 

are flammable should not be used in the habitable areas. If use of these 
materials is unavoidable, they should be stored in containers capable of 
withstanding operational conditions without rupture or emitting fumes, 
smoke, or gas. The containers must be adequately labeled with placards 
describing the hazardous content. Procedures for safe handling in all 
operations should also be provided. 

Explosion 

v. Nonmetallic materials for use with fluorine should be carefully 

selected as they are generally incompatible with fluorine and react 
violently. 

Contamination, 

Fire 

w. Nontoxic and nonflammable hygroscopic materials should be used 
for moisture or humidity control in experiment canisters. 

Injury/lllness 

x. Paints or coatings should not be used which can degrade in the 

use environment and can chip or flake off producing floating particles in the 
zerogravity environment. 

Contamination 

y. Paints or coatings which contain carbon black should not be used 

on equipment to be located in habitable areas. Carbon black will offgas 
toxic carbon monoxide. 

Fire, 

Contamination 

z. Photographic film and recording tapes should be selected which 

are nonhazardous in their use environments. 

Contamination 

aa. Printing inks should be selected which will not release toxic 
fumes in the habitable areas. Suitable containers should be provided (no 
glass) for storage of these inks in the operating environment. 

Fire 

bb. Flight data files, records, procedures, and checklists to be used 
during flight operations in habitable areas should be printed on fire resistant 
paper. 

Electrical Shock 

cc. Particular care should be given to the static electricity 
generation and discharge properties of nonmetallic materials. 
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3.8. 1.2 Nonmetallic Materials (continued) 

dd. Asbestos should be avoided in spacecraft use since it produces 
fibers that are hazardous to personnel and hardware. Where practicable, 
other materials should be used in lieu of asbestos. 


3.8.2 


Flight Operations 


Contamination, 
Fire, Corrosion 


Fire, Explosion 


Fire, Explosion 


Contamination 


Explosion 


a. When toxic, corrosive, and/or flammable materials are to be 
handled during flight in habitable areas, safety procedures and safe handling 
equipment should be provided. The materials should be stored so that failure 
of the containers will not release the material into the atmosphere. 
Provisions should be specified for the safe collection and storage of used or 
spent materials. Their possible chemical or physical interaction should be 
considered when collected and stored together. 

b. The location of flammable, explosive, or gas generating mate- 
rials should be carefully selected and adequate separation of these materials 
maintained to prevent ignition and flame propagation. 

c. Flammable, explosive, or gas generating materials should not be 
located in the vicinity of the entrance to habitable areas. 


3.8.3 


Ground Operations 


a. When specifying materials to be used for packaging components 
or to be used to maintain cleanliness level requirements in clean room 
applications, compatible materials should be selected for the use environ- 
ment. 

b. Polyethylene type material should not be used to package 
components in gaseous or liquid oxygen systems. Polyethylene sloughs 
particles which are pure hydrocarbon. It can be used as an outer wrapping as 
it provides good resistance to external fluid contamination provided 
antistatic type is used. 

c. Nylon should be used for the inner wrapping of components 
requiring high cleanliness levels with the exception of those for liquid 
oxygen or gaseous oxygen systems as nylon tends to slough particles. 
Migrating particles in liquid oxygen or gaseous systems present fire hazards. 
FEP (florinated ethylene propylene) Teflon is a material that can be used to 
wrap liquid oxygen or gaseous oxygen components. Caution should be used 
in selection of these materials as some may be electrostatic generators 
depending on the material manufacturing specification. 

d. When specifying cleaning agents for system fluids, adequate 
information should be provided on the chemical reaction between the 
cleaning fluid and the system fluids. Certain cleaning agents and strong 
oxidizers are known to react explosively. For example, strict control and 
instructions should be provided for the use of halogenated hydrocarbons and 
nitrogen tetroxide. 
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Explosion 

Explosion 

Contamination 

3.8.3 Ground Operations (continued) 

e. For oxidizer systems which must be serviced, complete removal 
of cleaning agents by flushing oxidizer systems with nonreacting agents 
should be specified before the oxidizer is reintroduced. 

f. Fluorinated hydrocarbon solvents should not be used in high 
pressure or liquid oxygen systems as they may react violently. 

g. If spillage of mercury has occurred during handling operations 
with experiments, the equipment should be tested for mercury contamina- 
tion. If mercury is detected, the source should be isolated, corrective action 
taken, and the equipment retested and verified free from mercury 
contamination before release for flight. 
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3.9 MECHANICAL 

System Description .- The mechanical subsystem is composed of rotating machinery such as 
pumps, compressors, turbines, centrifuges, gyroscopes, fasteners, lock pins, guide pins, booms, 
antennas, doors, covers, screens, actuating mechanisms, gear trains, and mechanical restraining 
aids. It includes shipping containers, cradles, slings, dollies, tracks, and similar equipment 
which is specifically designed to transport and handle payloads during ground operations. 

Mechanical hardware is an integral part of subsystems covered in this handbook. It can be piece 
parts of assemblies of flight systems as well as complete units. 

Associated Hazards .- The prime hazards to be eliminated or controlled by the application of 
these guidelines are collision, contamination, explosion, illness or injury to the crew and loss of 
orbiter entry capability. Collision hazards can readily be generated if equipment is improperly 
located and insecurely attached to the payload structure. During launch, entry, or crashlanding 
conditions, components can break loose and become projectiles which can enter the crew 
compartment. Loose parts can collide with flight controls and can create injury potentials 
during extravehicular activities. Explosive hazards created by runaway or overspeeding rotary 
equipment should be eliminated by incorporation of protective devices. If material fractures 
occur, fragments should be contained by screens, guards, or covers to prevent damage or 
contamination of peripheral equipment and injuries to personnel. Telescoping booms and 
extending and retracting mechanisms must be designed with redundant retraction or a jettison 
capability to assure payload bay door closure in the event of mechanism malfunctions. Payload 
bay door closure is mandatory for orbiter entry capability. Industrial safety features should be 
considered in the design of ground handling equipment to prevent hazards to personnel. 

Safe orbital payload operation and ground processing of payloads will depend on the selection of 
hazard-free hardware. In past manned programs, a number of hazards have been identified 
which are associated with the use of mechanical type hardware. The payload safety guidelines 
are based on this experience. 

Suggestions are included for selection of fasteners, locks, guides, and shear pins used for the 
mechanical integrity of assembled components. Safety recommendations are listed for 
consideration in the design of extending and retracting devices, telescoping booms, and 
actuating mechanisms and ground handling equipment. 

Since the mechanical subsystem overlaps in areas associated with structures, section 3.15, 
STRUCTURES, should also be reviewed. 
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3.9.1. I 


a. Pumps, compressors, turbines, centrifuges, and similar types of 
high speed rotating equipment should be provided with protective devices 
such as thermal overload sensors, bearing temperature sensors, pressure 
relief devices, vibration sensors, pump suction pressure interlocks, and 
overspeed controls to prevent bearing and material failures which could 
result in fragmentation. 

b. High speed rotating components such as pumps, compressors, 
turbines, centrifuges, and gyroscopes should be shielded sufficiently to 
contain any wheel systems or failed parts. Rotating machinery should 
contain protective devices such as screens or covers to prevent accidental 
human contact with rotating members. Debris guards, screens, filters, and 
similar devices should be provided to contain potential floating objects in 
the zerogravity environment. 

c. Where access to rotating members and operating equipment is 
necessary, power lockout and safety interlocks should be provided to prevent 
inadvertent operation. 

d. Pumps, compressors, turbines, fan blades, and similar rotating 
mechanisms should contain protective devices such as shear pins, friction 
clutches, magnetic clutches, or similar devices to protect the drive 
mechanism. Jammed rotating members can cause overheating , bearing, and 
material failures. 

e. In fluid systems, filters, strainers, and traps should be provided 
to contain residual debris which could threaten critical mechanical or 
electrical components. Debris or particle contamination from interfacing 
equipment can readily degrade critical mechanical items. 

3. 9. 1.2 Gyroscopes 

a. Gyroscopes should include provisions for verification of rota- 
tional speed. Incorrect gyroscope rotational speed could result in erroneous 
or loss of payload attitude control. If occurring in a free flying payload, this 
problem could create a possible collision hazard. 

b. Gyroscopes and accelerometers should be positively keyed to 
prevent interchanging or erroneous installation. Incorrect installation will 
result in erroneous attitude orientation on automated payloads which may 
lead to collision hazards. 

c. When selecting gyroscopes for payload equipment, consideration 
should be given to their bearing temperatures, lubrication, and operational 
characteristics for the use environment. 
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3.9. 1.3 Fasteners 


Injury 


Injury 


a. The torque value of bolts, connectors, and similar threaded 
fasteners should be specified in the design and should require the use of 
proper wrenching devices for assembly as opposed to using knurled knobs, 
wing nuts, etc. Properly torqued fasteners are essential to equipment 
operation. 


b. The use of similar type mechanical fasteners for different 
applications close to each other should be avoided to prevent inadvertent 
interchanges of these fasteners (e.g., threaded fasteners of the same 
diameter and the same grip length but different shank length or those having 
the same shank length but different grip length). In assembly or service, 
interchanges of the fasteners can lead to operational failures creating 
hazardous conditions and endangering personnel safety. 


Corrosion 


c. The use of metal fasteners in contact with a dissimilar type 
metal should be avoided. If unavoidable, specify the protection of the 
fastener by barrier material such as sealant, tape, primer, or suitable 
coating. Dissimilar metals can create electrocouples and can lead to 
galvanic corrosion. 


Contamination 


d. The use of captive type fasteners, such as bolts or nuts, should be 
specified in the design to prevent dropping such items and damaging 
equipment (e.g., internal securing of electronic parts such as circuit boards). 


Injury 


e. The correct bolt lengths should be specified to avoid interference 
with piece parts which can lead to subsystem failures and create hazardous 
conditions to personnel. 


Contamination 


f. Self-tapping screws which generate metallic particles should not 
be used on electronic assemblies. Particles can cause electrical failures and 
contamination problems in the zerogravity environment. 


Contamination 


g. Calfax type fasteners should be considered for use in closing 
access panels in lieu of slotted or Phillips Screws. Such single force 
fasteners aid maintenance and reduce generation of metallic particles which 
can contaminate subsystem elements. 


Injury 


h. In the design of subsystem elements, standardized fasteners 
should be used to the maximum extent practical. This will tend to reduce 
maintenance downtime and will eliminate substitution of "like" type 
fasteners which can result in equipment failures and can intensify 
probability of hazards. 


Injury 


i. Access to mechanical fasteners should adhere to MSFC-STD-5 12 
for both IVA (intravehicular activity) and EVA (extravehicular activity) 
operations. 
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Injury 


Contamination 


Injury, 

Contamination 


Contamination 


3.9. 1.4 Lock, Guide, and Shear Pins 

a. Black box designs should provide for use of guide pins or slide 
panels on drawers, and chassis subassemblies to align location of this 
equipment during installation. The guide pins and slides prevent contact of 
panels, chassis, or drawers with exposed equipment terminals and minimize 
connector failures, electrical malfunctions, etc. 

b. When pins are to be used, the design should include stowage 
location for the insertion of these locking pins or similar devices. If locking 
pins or similar devices, such as knobs, handles, caps, plugs, etc., are to be 
removed during flight operation, tether-like devices should be provided to 
hold these parts captive and prevent loose objects in the zerogravity 
environment. 

c. Friction-type locking pins or devices should not be used where 
the locking capability may be degraded as a result of repeated use (e.g., star 
washers and jam nuts should not be used). 

d. In the design of equipment which will require service and 
maintenance, associated washers or spacers installed with knobs, handles, 
locking pins, and similar devices should be adequately secured to prevent the 
unintentional removal of these parts with resultant floating objects in the 
zerogravity environment. 


3.9.1. 5 


Booms 


Loss of Orbiter 
Entry Capability 

Collision 


Collision 


Collision 


Loss of Orbiter 
Entry Capability 


a. In the design of booms which are to extend through airlocks, the 
locking and braking systems should not distort the boom when the clamping 
force is applied so that the boom cannot be retracted or ejected. 

b. . Equipment which is mounted externally to the payload structure 

should be constrained so that under normal landing or crash load conditions, 
the equipment will not break loose, become a projectile and endanger the 
crew. 

c. Payload or payload components which are to be deployed on 
extendible booms should be designed to withstand loads associated with 
deployment and flight operations. During on-orbit operations, the payload or 
payload components should not break loose and endanger the crew by 
possible equipment collisions. 

d. The design of all the extension rod segments or extension 
mechanisms should contain safety latches or similar type devices to prevent 
ejection of equipment by inadvertent disconnections during the operations of 
extending the boom. 

e. A jettison capability should be provided on solar array panels and 
extendible booms on automated (flyers) payloads which can be remotely 
controlled. Retrieved payloads must be stowed in the payload bay without 

ayload bay door interference from extension booms. 
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3. 9. 1.6 Doors, Covers, Windows 


Injury 


a. In the design of access doors, equipment covers, or hatches which 
are not to be removed, self-supporting features should be provided when 
they are to be opened during operational conditions to prevent hand injuries 
from unanticipated closures. 


Contamination, 

Injury 


b. Laser windows should be provided with covers to protect the 
window when not in use during flight and ground operations to prevent 
particle contamination leading to spurious laser reflections. 


Injury 


Collision 


Collision 


c. Payloads which will require direct interface with windows that 
form part of the pressure integrity of habitable areas of the STS should be 
designed to avoid any possible damage to the windows (i.e., scratches, 
cracks, etc.). 

3. 9. 1.7 Actuating Mechanisms 

a. When designing and locating movable, actuating, or similar 
mechanical devices, adequate clearance should be provided to prevent (I) 
interference with structure; (2) puncture of fluid lines, valves, and tanks; 
and (3) contact with electrical wiring and components or other subsystem 
components. Mechanical stops should be provided to limit the motion at 
travel extremes to the maximum position for proper functioning of the 
actuated item preventing interference with interfacing equipment. The 
mechanical stops should be designed to absorb the impact resulting from 
actuating forces and inertia at the travel extremes. 

b. Right-hand and left-hand parts should not be used in the design 
of actuating mechanisms. Similar mechanical parts and assemblies should be 
designed for interchangeability and reversibility. Those parts which are not 
interchangeable or reversible should be designed so that inadvertent 
interchange is not possible. 


Collision 


c. Rotational type mechanisms such as bell cranks and torque tubes 
should be designed to preclude incorrect installation on shafts (multiple 
keying is a preferred method). In routing torque tubes, structural deflection 
and its effect on tube functions should be considered. 


Collision 


d. Components which will require mechanical adjustments or 
alignment should be located where these adjustments can be made without 
excessive removals or disassembly of equipment. Adjustable mechanical 
devices should not be used where improper adjustment can lead to critical 
subsystem hazards. 
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MECHANICAL 



3.9. 1.7 Actuating Mechanisms (continued) 

Injury 

e. The design of foldaway or foldover type latching mechanisms 

that must be in the folded position to assure positive locking should be spring 
loaded or pinned in the folded position to prevent inadvertent opening by 
vibration or shock under operating conditions. The foldout structure or 
mechanism should be designed and installed so that parts and wiring will not 
be damaged when the structure is opened or closed. 

Injury 

f. Locking or latching mechanisms should be designed to be 

operable by a single control and should provide a clear visual indication of 
whether the latch position is opened or closed. Positive indications of 
latching mechanisms are necessary to prevent crew injuries when these 
mechanisms are actuated. 

Injury 

g. Rotational equipment within enclosures requiring periodic access 

should be designed with positive manual loading devices. Equipment such as 
motor driven canisters containing photographic equipment or telescopes 
should have access door interlocks on the drive mechanism. Crew protection 
should be considered in film retrieval and component replacement activities. 

Injury 

h. The design of panels which will contain replaceable indicator 

lights should allow for replacement of the lights from the front of the panel 
to minimize injuries to maintenance and flight personnel. 


3. 9. 1.8 Mechanical Restraints 

Injury 

a. Restraining aids, such as handles, rails, and footholds, should be 

designed into large payloads for ease of movement of suited personnel during 
servicing, repair, or retrieval of equipment during EVA operations. 

injury 

b. If an on-orbit maintenance requirement exists, design features 

should be included in mechanical elements to facilitate equipment failure 
detection, isolation, corrective action, and verification of repair. 
Allowances should be made for special tools, spares, maintenance equip- 
ment, and the required space for orbit operations. Accessibility to 
equipment attachment, electrical connections, and equipment plumbing will 
be necessary. On-orbit maintenance features should be designed to assist a 
suited crew member to perform the needed corrective action. 


3. 9. 1.9 Antennas 

Injury 

a. Antennas which are designed with electromechanical drive 

mechanisms to permit scanning should include a positive locking device to 
prevent the antennas from inadvertent rotation and personnel contact during 
flight or ground operations. 

i 
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3.9. 1.9 Antennas (continued) 

Collision 

b. To prevent rotating antennas from contacting adjacent 

subsystem equipment, the required antenna envelope should be specified in 
interface documents and on interface drawings. Interface drawings should 
also specify the look angles of signal detectors, sensors, and transducers 
which may be shadowed by a rotating antenna. 

Loss of Orbiter 
Entry Capability 

c. As an additional safety measure in the design of extendable 

antennas, methods should be considered for manual disconnection in the 
cargo bay by an EVA crewman. 


3.9.2 Flight Operations 


None 


3.9.3 Ground Operations 


3.9.3. 1 Transportation 

Collision 

a. Vehicles designed to transport equipment should contain 

permanently attached safety chains capable of holding the vehicle if the 
towbar or hitch attachment fails. Hinge-type towbars should have positive 
locking devices for stowage in the raised position with stops to prevent 
contact or collision with the load on the vehicles. 

Collision, 

Injury 

b. Transportation devices should have tiedown provisions for posi- 

tive servicing of equipment. The devices should contain reusable placards 
showing load limits. The tiedown devices should be provided with positive 
locking devices including tension and torque values on visible placards to 
prevent damage to the equipment and impact hazards to ground handling 
personnel. Attach points for the tiedowns should be clearly marked to avoid 
possible confusion in the use of the equipment. "No-step" marking should be 
included as needed on payload equipment installed in transportation devices 
to prevent injury to ground personnel. 

Collision, 

Injury 

c. Casters used on transportation devices should have self- 

contained wheel locking devices to avoid slipping or runaway creating 
collision hazards with ground personnel or damage to peripheral equipment. 


Collision d. Braking and wheel locking device controls on towed 

transportation equipment should be protected against inadvertent operation. 

Injury e. The design of shipping containers should permit the safe packing 

and unpacking of equipment without functional damage to any specially-built 
containers, fixtures, or equipment from handling or static electrical 
discharge. Materials used for packing should be nonflammable 
commensurate with the container's use and exposure. 
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3.9.3. 1 


Transportation (continued) 


f. Cradles or support devices should be designed to support the 
equipment adequately and to conform to the shape, size, and contour of the 
payload. The cradle and support devices should be designed with tiedown 
attachments for securing the payload equipment to prevent slipping and 
dropping. The cradles and support devices should also have tiedown 
provisions for securing the cradles or support devices to the transporting 
equipment. Hoist points should be readily visible on the cradles or 
supporting devices. 

g. Load bearing surfaces of the cradles or support devices should 
have sufficient bearing area to support the equipment and padding to protect 
the equipment from damage. The center of gravity of these devices should 
be conspicuously identified. Grounding provisions should be provided and 
utilized to bleed off any accumulated charge. 

h. The design of shipping containers should allow for payload cargo 
removal in a vertical direction to minimize dropping equipment hazards. 
The handling and lifting (removal of payloads from containers) should be 
included in program reviews to assure proper handling at launch facilities. 

i. Practical design features should be included to facilitate safe 
handling of bulky items during installation, maintenance, or replacement. 
These should include handles, lifting lugs or eyes, tapped holes for 
attachments, etc. (It should be remembered that flight items may have to be 
put into shipping containers, humidity control bags, etc., for replacement, 
rework, etc.) 

j. Special payload dollies, trucks, and transporters which contain 
internal combustion engines and are to be operated in propellant transfer 
areas should be equipped with spark arrestors and carburetor flame arrestors 
(authorized air cleaners) to prevent introducing ignition sources. (Vehicles 
containing catalytic converters will be excluded from operating in space- 
craft use areas.) 

k. Special payload trucks or dollies used for moving sensitive 
equipment, such as guidance and pyrotechnics, should be provided with shock 
mounts, dessicants, and other protective devices to prevent damage to 
critical parts whose failures during orbital operations can introduce hazards 
to crew personnel. 

l. Payload suppliers furnishing ground handling equipment should 
provide procedures and historical record files for periodic proof load testing 
data. The following information should be included in the file. 


(1 ) Drawing number and part number of the device. 

(2) Manufacturer. 
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Transportation (continued) 

(3) Fabrication date. 

(4) Date of last proof load test. 

(5) Date of rework or repair. 

(6) Date of magnaflux, X-ray, or penetrant dye check. 

(7) Quality control verification inspection. 


(8) Maximum safe working load. 

Payload equipment used and proof tested at other than the supplier's facility 
may be used without further proof tests if test documentation is available; if 
records show that proof testing meets minimum conditions; and if inspection 
of the equipment shows no damage or deterioration. 

3. 9.3. 2 Test and Checkout 


Injury 


Injury 


Injury 


a. Payload equipment which must be ground tested and can expose 
personnel to surface temperatures above the threshold of pain (I25°F) 
(52°C) or in the range of cryogens should be provided with adequate ground 
handling fixtures to prevent inadvertent contact by personnel. 

b. Components or mechanisms which will require operations or 
adjustments during ground operations should be designed to accommodate 
the personnel who will be responsible for performing these functions. All 
controls which should not be operated during ground operations should be 
marked with clearly visible placards or labels. 

c. Payload equipment which is to be hand-carried should not exceed 
45 kg (100 lb) mass provided the center of mass is within 35 cm (14 in) of the 
handhold. Equipment exceeding these limits should be transported on ground 
handling equipment. 


Injury 


d. Payloads containing pressurized fluids or gas in containers in 
which a rupture could result in uncontrolled motion of the experiment or can 
release toxic fumes requiring immediate evacuation of the area should not 
be hand-carried. Handling equipment containing handles, lids, and covers 
should be provided for hazardous materials. Easy to recognize markings 
should identify contents, state antidote information, or special handling 
instructions. 


Injury 


e. Equipment to be serviced, maintained, and repaired by com- 
ponent replacement should be designed for ease of access without requiring 
the removal of other equipment, wire bundles, and fluid lines. Components 
should be designed with features that contribute to the ease and rapidity of 
maintenance. 
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Contamination 


3. 9. 3. 2 Test and Checkout (continued) 

f. Nozzles and vents should be protected by readily visible covers 
or protective inserts to prevent entrance of moisture, debris, or other con- 
taminants prior to launch. 

g. Protective covers designed for the protection of flight equipment 
should offer maximum practical protection against fire. 


3. 9. 3. 3 


Assembly, Installation, Service 


Injury 


Collision 


Injury 


Injury 


Collision 


Injury 


Injury 


Injury 


a. Payload equipment requiring blankets as thermal controls in high 
traffic areas of the payload bay should be designed for easy installation and 
removal. 

b. Mechanical locking features should be provided on lifting devices 
to prevent inadvertent lowering of the equipment if the lifting mechanism 
fails. 

c. To minimize equipment damage and potential injury hazards to 
personnel in handling payload equipment, fixtures, cradles, or similar devices 
should be provided as needed. 

d. Readily visible and tethered connector caps, plugs, or covers 
should be provided as protection against damage and contamination at 
electrical and fluid outlets. 

e. The design of sling cables for use on payloads should be of 
sufficient length so that the angle formed by the cables at the point of the 
attachment to the lifting device should not exceed 45 degrees. 

f. The design specifications of payloads should include location of 
lift points, attach points, center of gravity, and gross weight for which 
lifting, hoisting, or handling fixtures may be required. 

g. Payload equipment which will require lifting or moving during 
ground operations should contain temporary or permanent installation of 
attach points, lifting eyes, tiedowns, and similar hardware for positive 
attachment of slings, cable locks, and similar devices. If cradles or support 
devices are used, they should have provisions for lifting equipment (e.g., 
sling eyes). 

h. All platforms, handrails, booms, boom extension devices, and 
similar installations which are not designed for use in a one gravity environ- 
ment should contain placards with ground operating load limits. Adequate 
protection must be provided during ground handling to prevent damage to 
these devices and resultant malfunctions during operating conditions. 
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Injury 


Inj'ury 


3. 9.3. 3 Assembly, Installation, Service (continued) 

i. All work stands should have adequate railings around their 
platforms. If these stands are mounted on casters, some positive means of 
locking these or transferring the load to separate support pads must be 
provided and utilized. 

j. Slings, handling fixtures, and other support equipment requiring 
periodic proof load testing should have some means of assuring that pins, 
devices, cables, etc., that may readily be disassembled cannot be 
inadvertently changed out with similar pieces that were not part of the 


whole assembly when it was last proof tested. 
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3.10 OPTICAL 

System Descrip tion.- Optical instruments will comprise a high percentage of the payloads 
carried by the STS. These instruments are of two types: data gathering and data transmitting. 
These data are limited to light which will pass through a lens or will reflect from a first surface 
grating or mirror. Such light ranges from 100 angstroms for extreme ultraviolet to 300 microns 
for infrared depending on intensity of the light and the density of the media in the path of the 
beam. The optical elements are generally metal or glass and are either transmissive or 
reflective. Typical optical components include first surface mirrors and gratings (flat, 
parabolic or concentric), lenses (concave or convex), flats and beam splitters (coated and 
uncoated), and prisms (coated and uncoated). Other devices and components related to optical 
instruments are apertures, slits, fiducials, baffles, light tubes, covers, and doors. Data may be 
obtained electronically, photographically, or visually. 

Typical interfaces with optical instruments are visual, mechanical, electrical, and spatial. Few 
systems will use direct viewing for data retrieval. If a crewman is required or able to view 
potentially hazardous intensities and wavelengths, however, these guidelines should be utilized. 
Ground support interfaces include optical, electronic and radiation from sources such as lasers, 
mercury vapor discharge tubes, carbon arc sources, etc., for sensor excitation, calibration or 
alignment. 

Associated Hazards .- The potential hazards which must be considered in design, handling, and 
operations of optical equipment and associated energy sources may be grouped into four general 
categories defined as follows: 

1. Personnel exposure to dangerous light radiation . High power and focused low power lasers 
can cause lesions of the skin. Most lasers can damage the eye to some extent, and reflected 
laser energy in some cases is sufficient to do serious eye damage. There are lasers that operate 
in UV (ultraviolet) and IR (infrared) wavelengths besides the visible wavelengths. These two 
categories are especially hazardous as their beams and reflections are invisible regardless of the 
energy level. Certain CC^ lasers, operating in IR, are capable of extreme beam temperatures 
and will ignite some target materials. 

Other dangerous sources of light radiation are mercury vapor lamps, high intensity carbon arc, 
and solar radiation. Solar radiation at ground level ranges from about 2800 angstroms for UV to 
about 300 microns for IR due to the atmospheric cutoff. This atmospheric cutoff is due in a 
large part to the ozone layer (40,000 to 100,000 feet) (12,000 to 30,000 meters) which filters 
much of the sun's dangerous radiation. This filtering process will not exist during on-orbit 
operations and solar radiation through a spacelab mounted quartz window may be as low as 1850 
angstroms which is hazardous to personnel. 

The primary hazard concerning carbon arc and mercury vapor lamps is eye damage from sus- 
tained observation of these light sources. A carbon arc is very uncomfortable to look at 
because of its extreme intensity. A mercury lamp, however, is relatively dim. This is deceiving 
and individuals have sustained partial loss of vision from looking at these sources for a sustained 
period of time. 

2. Temperature extremes causing toxic fumes . High temperatures involved with the various 
light radiation sources can cause toxic outgassing or combustion byproducts. Certain paints, 
when heated by radiation sources, give off toxic gases even though they may be acceptable for 
flight use at ambient temperature and pressure. Laser welding or material testing can result in 
toxic fumes which could be hazardous to the crew in a self-contained environment such as the 
STS. 
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3.10.1 


Design 


3.10.1. 1 General 


Injury, Radiation 


a. Unfiltered grating systems for UV, IR, or visible light application 
all have a zero order which contains all wavelengths which the grating sees. 
Thus, the zero order will have from about 2800 angstroms to about 20 
microns when in direct sunlight at sea level. The same zero order could 
contain as low as 1850 angstroms in a man-made environment such as from a 
mercury vapor lamp onboard the spacelab or in any laboratory at close range 
to the light source. Optical instruments should be designed to trap this 
beam so that it cannot be viewed by operating personnel. 


Injury, Radiation 


b. Quartz windows, apertures, or envelopes should not be used with 
dangerous wavelengths unless suitable measures are taken to protect 
personnel from UV and/or IR burns. 


Injury, Radiation 


c. High energy laser systems, pulsed or otherwise, should not be 
used with optical experiments unless interlocks are provided to prevent all 
laser light, even reflections, from escaping the experiment housing and 
viewed or otherwise contacted by personnel. Under certain conditions, such 
laser systems can cause blindness and lesions of the skin (see paragraph 
3.10.1.2, Lasers .) 


Injury, Radiation 


d. Light intensities and spectral wavelengths at the eyepiece of 
direct viewing optical systems should be limited to a safe range to avoid 
damage to the eye. 


Injury, Radiation 


e. In the design of direct viewing telescopes, consideration should 
be given to automatic means to protect the viewer's eyes if the field of view 
is inadvertently exposed to direct or reflected sunlight. 


Injury, Radiation, 

Temperature 

Extremes 


f. In the design of optical systems which require crew viewing 
consideration should be given to incorporating baffles and interlocks to 
preclude inadvertent exposure to focused energy of a damaging or hazardous 
nature. 


Injury 


g. Enough space should be provided at the viewing end of a tele- 
scope so that the operator has free egress with the telescope locked in any 
position. 


Contamination, 

Implosion, 

Illness/Injury 


h. Glass and similar shatterable material should be covered or 
encapsulated with a solid transparent material to protect against particles 
being introduced into the spacecraft habitable environment as a result of 
breakage. Where this is not possible or practical, other remedial measures 
should be taken such as the use of removable protective covers, warning 
signs, etc. 
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Lasers 


Injury, Radiation, 
Fire, 

Temperature 

Extremes 

Injury, Radiation, 
Fire, 

Temperature 

Extremes 

Injury, Radiation, 
Fire, 

Temperature 

Extremes 

Temperature 

Extremes 


Electrical Shock 


Explosion, Injury 


Radiation, 

Temperature 

Extremes, 

Injury/Illness 


a. Limit stops, interlocks, and shields should be provided to ensure 
that a laser beam cannot be misdirected toward personnel, adjacent equip- 
ment, or structure. 


b. Power lockouts or interrupter devices should be provided on laser 
devices to protect flight personnel during maintenance or EVA operations. 


c. Power interruption capability should be provided whenever a 
laser is removed from its mount. 


d. Positive locking features should be provided on all laser 
reflectors to preclude focus changes due to vibration (such as during launch) 
or by inadvertent contact during maintenance or general EVA operations. 

e. Lasers should be designed and constructed so that all external 
parts, surfaces, and shields are at ground potential at all times. 

f. Laser systems should use only those materials which can with- 
stand the stresses caused by repetitive pulsing of flashlamps for long 
periods. 

g. Laser reflector mirrors should safely withstand the thermal 
stresses of reflecting the laser beam. It is recommended that external 
mirrors be covered when not in use to keep them clean and thus minimize 
thermal absorption rates. 


Injury, Radiation, h. The use of quartz is not recommended for flash tubes. If 

Electrical Shock required, however, a suitable shield of plastic or nonshatterable glass should 
be used to absorb the undesirable UV radiation. Such tubes should be dis- 
abled when the cavity is open for maintenance. 


Fire, Injury, 
Radiation, 
Temperature 
Extremes 

Fire, Injury, 

Radiation, 

Temperature 



i. A shutter system should be included to prevent the laser from 
being fired inadvertently. 


j. Provisions should be made so that power output measurements 
can be made with the beam totally enclosed to prevent specular reflections 
which could be hazardous to the viewer or could even ignite combustibles at 
certain wavelengths. 
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3.10.1.2 Lasers (continued) 

Fire, Injury, 
Radiation, 
Temperature 
Extremes 

k. Laser systems should be designed to enable as many adjustments 

and system checks as possible to be made without the laser transmitting to 
reduce the radiation hazard potential to personnel. 

Explosion, 

Radiation, 

Temperature 

Extremes 

1. Laser optical systems should be environmentally sealed whenever 

possible to prevent moisture buildup in the path of the beam. Spurious 
reflections, heat buildup, steam and misdirection of the laser beam could 
result. 

Explosion, 

Temperature 

Extremes 

m. Optical coatings of the hardest practical material should be used 
with laser systems. Internal reflections caused by degraded coatings can 
cause heating and possible melting of the lens surface. These conditions can 
cause multiple hazards. 

Corrosion, 

Temperature 

Extremes 

n. Laser systems should be designed so that no field adjustments or 

maintenance are required that would expose optics to contamination when 
power levels are such that contamination could cause potential hazards. 

Injury, Radiation 

o. Laser systems should be designed so that during boresighting or 

power measurement operations the laser beam is totally enclosed and 
inaccessible to the eye. 

Injury 

p. Laser sighting eyepieces should be fitted with filters for the 

wavelength at which the laser is operating. 

Explosion, Injury 

Temperature 

Extremes 

, q. There should be ample capacity in laser operating subsystem 

elements such as power handling capacity of storage capacitors or cooling 
capacities of mirrors. 

Temperature 
Extremes, 
Injury/ll Iness 

r. Mirrors in high powered laser systems should be designed first 

surface to prevent spurious reflections and to reduce heat absorption. 

Injury, Radiation 

s. Laser power supplies with 15,000 volts and above should be 

marked to show the amount of X-radiation and microwave radiation 
generated when shields are removed. 

Corrosion, 
Explosion, Injury 

t. Handling of quartz flash tubes can result in catastrophic failure 

during operation. Fingerprints can etch the quartz which can cause the tube 
to crack and/or explode. 

Contamination, 
Fire, Radiation, 
Temperature 
Extremes 

u. A laser beam should be terminated with target material that is 

nonreflective at the laser wavelength, is fire resistant, and does not emit 
toxic fumes when vaporized. The area around the target and the beam path 
should be free from reflective materials as well. 
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3 JO. 1.2 Lasers (continued) 

v. Alignment of target, optics, filters, etc. should be accomplished 
with low powered lasers such as helium-neon. 


Injury, Radiation 


w. When necessary to view the target or beam while a laser is 
energized, it should be viewed through a closed circuit television or an 
optical comparator with appropriate filter. 

x. Because of their higher power output (megawatt and gigawatt 
range), solid state lasers such as ruby-pulsed devices should be operated by 
remote control firing where feasible. Television monitoring eliminates the 
requirement for personnel to be in the proximity with the laser. An 
alternative is to enclose the laser and beam with a light-tight box. 

y. Since damage to materials from laser energy is caused by direct 
radiative heating and resonance conditions at wavelengths equal to absorp- 
tion lines of the materials, the ignition temperature and absorption bands 
are necessary parameters in selecting a safe target material. 

z. The unused secondary laser beam emerging from the rear 
aperture of a laser should be capped. Likewise, the unused beam resulting 
from use of beam splitters should be terminated. When using optical 
gratings with lasers the zero order, blazed order, and several orders above 
and below the blazed order can have dangerous beam intensities radiating 
around the Rowland circle. These should be blocked from view of operating 
personnel. 

aa. Safety provisions such as interlocks at the entrance of the laser 
facility should be installed and constructed so that unauthorized or transient 
personnel are denied access to the facility while the laser power supply is 
charged and capable of firing. 


Contamination, 


bb. Higher-power (watt range) IR lasers such as the CC^ laser (10 
micron wavelength) should be used with the utmost precaution because of an 
invisible beam and the associated fire hazard. A sufficient thickness of 
material suitable for terminating the laser beam should be provided as a 
backstop for the beam. 

cc. Reflections of the IR beam should be attenuated by enclosure of 
the beam and target area or alternatively by eyewear constructed of a 
material opaque to the C0 0 wavelength, such as Plexiglas. 
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Contamination, 
Fire, Explosion, 
Injury 


Injury, Radiation 


Fire, Injury/ 
Illness 


Radiation, Injury 


Injury, Radiation 

Temperature 

Extremes 


3.10.1.2 Lasers (continued) 

dd. Laser installations should incorporate adequate means to prevent 
the accumulation of hazardous gases where continuous-flow gas lasers are 
used. Accumulation of cryogen liquids and gases should be controlled within 
the means of the ventilation system where purging and cooling of lasers is 
required. Use of these liquids may result in the formation of liquid oxygen. 
This can become an explosion or fire hazard. (See section 3.3, 
CRYOGENICS.) 

ee. Caution should be taken when operating lasers of subthreshold 
intensities. Current safety criteria assume that laser damage occurs on an 
all-or-none basis. Recent research by Lt.Col. G. L. M. Gibson, U. S. Air 
Force School of Aerospace Medicine has proven that single subthreshold 
exposures which are less than half of a threshold dose are cumulative and 
therefore each subthreshold exposure must damage, or in some manner 
increase, the retinal susceptibility to subsequent exposures. 

3.10.2 Flight Operations 

Laser experiments involving potentially dangerous heat sources or toxic 
materials should be performed in areas where personnel access can be 
limited, and where adequate ventilation and fire protection are provided. 

3.10.3 Ground Operations 

a. Most gas discharge tubes are made of quartz. Care should be 

exercised in using these, especially mercury vapor, as UV down to about 
1850 angstroms is possible. Eye and skin protection should be utilized. 

b. Suitable safety measures should be taken when operating dis- 

charge tubes which require microwave cavities and corner reflectors. (See 
section 3.14, RADIATION.) 
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3.11 PRESSURE SYSTEMS 

System Description .- Payload pressure systems consist of pressure vessels, lines and hoses, 
support members, connections, valves, regulators, filters, seals, instrumentation, and all other 
hardware containing liquids or gases under pressure greater than ambient. The fluids and gases 
may be inert or chemically active and may be used over a wide range of temperatures. Special 
considerations for unique fluid and gas systems such as cryogenics, propulsion, hydraulics, and 
environmental controls are covered separately in this document under their respectively titled 
guideline sections. 

Like similar STS pressure systems, payload pressurized gas or fluid systems will be normally 
located away from inhabited areas. Where practical, they should also be separated from each 
other and from critical payloads or orbiter systems. Shields or structures should be used as 
added precautions against sympathetic explosion, fire propagation, or damage due to schrapnel. 
Payload pressure systems will generally be subjected to the same flight environments as similar 
STS hardware. These systems should withstand, without damage or failure, the loads induced by 
STS vibration and accelerations at the temperatures and pressures that will be experienced in 
the STS environment. 

Special attention must be given to the design and test of pressure vessels and related control 
devices to prevent the possibility of explosion. For example, each pressure vessel should 
satisfactorily meet the requirements of NSS/HP- 1 740. 1 "Aerospace Pressure Vessel Fracture 
Control," and JSC 07700, Volume XIV, "Space Shuttle Payload Accommodations" to accom- 
modate the most severe combination of environmental and pressure conditions expected in use. 
Fracture mechanics analysis is performed on aerospace pressure vessels to determine flaw 
growth, stress corrosion, failure modes and other characteristics of materials used for pressure 
vessels. Each type pressure vessel should successfully pass qualification tests to demonstrate 
compliance with design requirements. Each pressure vessel accepted for operational use must 
also pass acceptance tests to prove its flight acceptability. 

Associated Hazards .- The primary hazard associated with pressure systems is explosion. Risk 
of explosion will depend on system variables such as pressure, volume, materials, wall thickness, 
shelf life, and environment. The degree of hazard to be controlled under any particular set of 
conditions is generally proportional to the system pressure and volume of pressure vessels. For 
example, a low pressure high volume pressure system may contain as much explosive energy as a 
high pressure low volume system. The results of a pressure system explosion include fire; crew 
or equipment contamination due to release of toxic or corrosive fluids and gases; and crew 
injury or equipment damage from high velocity flying fragments or blast overpressure. 

Pressure systems need not explode to be hazardous. A tank or line rupture, a failed connector 
or flex hose, or a broken seal could allow the leakage of toxic, corrosive, or flammable 
materials into occupied areas resulting in potential fire or contamination hazards. Rupture of a 
length of tubing or flex hose could result in a violent whipping action of the item and could 
damage adjacent equipment or structure. 

Fire, contamination, explosion, and other hazards can also be caused by the improper selection, 
location, setting, and shielding of pressure system control devices. For example, pressure 
regulators can fail open because of excessive vibration; relief valves can fail to open when 
necessary to protect a pressure vessel; a vent valve may be designed to allow corrosive gas to 
impinge on sensitive equipment, and may create sufficient thrust to disrupt stability control of 
a deployed payload or even the STS. 

The following guidelines cover the various pressure system elements which may cause or be 
affected by these hazards and discuss the criteria for safe operation of fluid or gas systems. 
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3.1 l.l Design 

3.1 I . I . I General 

a. The designation of pressure levels can vary between low (0-500 
psi) (0-35 kg/crri ), medium (501-3000 psi) (35.2-210.9 kg/cm ), high (300 1 - 
1 0,0002 psi) (21 1-703.1 kg/crri ), and ultra high (above 10,000 psi) (703.1 
kg/crri ). Extreme care should be exercised in the design and operation of 
all pressure systems to minimize the potential hazard of leakage, component 
rupture, or explosive disintegration with accompanying shock waves and 
fragmentation. The primary method for controlling pressure system hazards 
is by "design to contain." 

b. The design of pressure systems should include the capability of 
returning the system to a safe condition at anytime during ground or flight 
operations if an equipment failure or malfunction or a procedural error 
occurs. Methods for accomplishing this could include: 

(I) Provisions to bleed or vent the subsystem as protection 
against overpressure rupturing or bursting of system elements. 


(2) Provisions for isolating portions of the system to preclude 
shutdown of the entire system. 

c. If at all possible, pressure systems should be located outside 
inhabited areas of the shuttle vehicle. Also, they should not be located in 
proximity to other sources of high energy such as heat, power, and pressure 
unless adequate shielding has been provided. 

d. Payload pressure systems should withstand all shuttle initiated 
structural loads, acceleration, shock, or other loads while under operating 
pressure conditions and maximum operating temperature without suffering 
permanent set, stress damage or leakage. A complete structural analysis 
should therefore be conducted on all high pressure systems. This would 
include the worst-case consideration of vibration induced stress, surge and 
shock stress, acceleration loading, and thermal degradation of strength, as 
applicable. 

e. Nonpropulsive venting of fluids and gases has been incorporated 
on previous manned space programs and is also to be accomplished on the 
shuttle program. The payload designer should also strive to provide 
nonpropulsive venting and pressure relief, because significant unvented 
thrust can be generated at the open end of small lines, even under low 
pressure. For example, a I -inch (2.54 cm) line charged to 200 psi (14 
kg/crri ) can develop approximately 180 pounds (82 kg) of thrust. 
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Explosion, 

Contamination 


Contamination 


Fire, Explosion 


Explosion, 

Collision 


Explosion, 

Contamination 


Fire, Explosion 


Collision, 
Explosion, Fire 


3. 1 l.l. I General (continued) 

f. Pumps, valves, regulators, lines and hoses, and all such 
prefabricated components of a pressure system should have an authenticated 
pressure and service rating equal to or greater than the maximum allowable 
pressure for those components. 

g. To minimize leakage and possible overstress conditions, pressure 
system lines and component joints should be of welded or brazed construc- 
tion. Solder joints are more susceptible to leakage and should be avoided. 

h. Dissimilar metals should not be used in coolant system compo- 
nents if a galvanic circuit is thereby established with the coolant acting as 
the electrolyte. 

i. Design provisions should be made to relieve atmospheric pressure 
from payloads so that during the mission ascent phase there will be no 
possibility of pressurization beyond structural limits of the payload. 
Conversely, during the mission descent phase, payloads should also be 
provided the capability to relieve vacuum conditions because of outside 
ambient pressure. 

j. Shock waves can be generated within a pressure system because 
of sudden changes in gas flow. Those shock waves can generate pressure 
spikes far in excess of the system's design operating limits. Sudden changes 
in valve settings, rapid directional changes, or close-ended T-joints shoufd be 
avoided in the design of pressure system components. 

k. Pressure systems for oxidizers and fuels and other safety critical 
pressurizing systems should be free from dirt, lubricants, metallic debris, 
and organic matter which may combine with the propellants to cause fire or 
explosion. 

l. Accurate sensors should be incorporated to ensure that the 
pressure is totally relieved prior to opening the system for maintenance, 
replacement, checkout, or other reasons. Opening a pressure system prior to 
total depressurization could create a hazard to personnel or equipment in 
the vicinity. It could also damage equipment from explosive decompression. 

3. 1 1.1.2 Pressure Vessels 

a. Payload pressure vessel structural retention devices/ brackets 
should be capable of withstanding the 9 g crash load limit established for 
orbiter structure. Failure of pressure vessel retention mechanisms could 
result in failure which may be catastrophic to the shuttle and its crew at 
this critical time. 
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Collision, Fire 


3. 1 1.1.2 Pressure Vessels (continued) 

b. It is highly desirable that all pressure vessels be designed so that 
failure due to overpressure or to material properties will not produce 
shrapnel. Methods to minimize this hazard include: 

(1) Use of appropriate safety factors in tank design. 

(2) Use of fiberglass wound tanks. 


conditions. 


(3) Use of pressure relief devices to eliminate overpressure 


Explosion, 
Contamination, 
Fire, Collision 


Contamination 


Contamination, 


(4) Use of fracture mechanics analyses for each pressure 
vessel material used and application desired. 


design. 


(5) Reduction of stress concentration as a factor in tank 


(6) Assurance that fabrication materials of a pressure vessel 
are metallurgically compatible with the contents. 

(7) Qualification tests to verify design of a particular pressure 
vessel and acceptance testing to identify random manufacturing defects. 

(8) Use of shrapnel proof barriers or remotely located tank 
installation points to prevent propagation of an explosion from one tank to 
another and to protect the orbiter crew and other critical equipment. 

(9) It is recommended that the requirements of NSS/HP- 
1740.1, "Aerospace Pressure Vessel Fracture Control," be satisfied for the 
design, test, and operation of lightweight metallic pressure vessels and 
systems. 

c. Pressure vessels should normally be installed outside the STS 
manned or pressurized compartments to protect the crew and the pressure 
integrity of the compartment. Small pressure vessels may be permitted 
inside the pressurized compartment (cabin) provided they do not have 
credible failure modes and their failures will not expose the crew or vehicle 
to hazards. 

d. Double containment is highly recommended whenever toxic, 
flammable, or corrosive fluid can create an immediate hazard if inadver- 
tently released into a habitable area. Venting if provided should be to space 
or to another onboard container. 

e. Pressure vessels should be protected against failure by implosion 
as a result of inadequate inflow of ullage gas or pressurants as the tank 
content is drained. Protective devices would include the use of pressure 
relief valves and special procedures for prevention of tank draining without 
acceptable inf low of ullage gas. 
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3.1 1.1.2 Pressure Vessels (continued) 


Explosion, f. The location of pressure vessels within an assembly or as 

Collision installed on the shuttle must consider the possibility of tank failure caused 

by impact with adjacent hardware. Tank mounting designs should allow for 
structural distortions due to internal pressure, aerodynamic forces, vibra- 
tion, and sustained acceleration loading. 

Collision, Loss o : g. Pressurized gas vessels must be firmly secured by their mounting 

Entry Capability brackets to prevent a vessel from becoming a projectile from the thrust of 
the contained gas if a line or connector failure occurs. 


Contamination, 
Fire, Explosion 


Contamination 


Contamination 


Explosion 


Explosion, 
Collision, Fire 

Loss of Entry 
Capability 


h. The structural stability of a pressure vessel or its surrounding 
payload structure should not be dependent on the tank's being pressurized. If 
tank structural stability is independent of tank pressurization, then safety 
will be enhanced by: 

(1) Precluding the necessity for transporting, testing, and 
installing the payload (tank) in its pressurized mode. 

(2) Allowing tank pressurization at the latest time possible in 
launch preparation. 

(3) Eliminating the possibility of tank collapse by accidental 
depressurization. 

(4) Dumping of tank contents under abort conditions and 
landing loads without collapsing the tank. (Emergency landing with a 
pressure vessel fully tanked and pressurized is undesirable.) 

i. Pressure vessels and reservoirs should have isolation shutoff 
valves installed as close as possible to the downstream exit of the pressure 
vessel but below the pressure relief device if one is used. 

j. Provisions should be made to drain liquid from pressure vessels to 
enhance safety during maintenance or replacement of components. 

k. Pressurized gases should be isolated from heat sources, be cooled 
by refrigeration, or be insulated to prevent excessive pressure buildup. 

l. Pressure vessels should be clearly marked or labeled to identify 
operating pressure, type of content, and capacity. 

m. The gaseous quantity capacity of pressure vessels should be 
limited or a flow restrictor added so that a failure causing rapid expansion 
into the orbiter cargo bay will not result in overpressurization of the bay. 
This would be a concern only when the cargo bay doors are closed (i.e., 
during launch preparation, launch, entry, and landing phases). 
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Pressure Vessels (continued) 


Collision, Fire 


n. Each pressurized gas source or line within a manned 

compartment (spacelab, orbiter cabin), which could release gas into the 
compartment at a greater rate than the compartment pressure relief and 
vent system can discharge it, should have a flow restriction device at the 
pressure source to reduce the flow of gas to a level which can be handled by 
the manned compartment relief system. 

o. Venting of inert or nonhazardous gases into the orbiter payload 

bay should be minimized at all times but should be further restricted during 

periods when the payload bay doors are closed (i.e., during prelaunch, launch, 
entry, and landing phases). 

p. Hazardous gases or liquids (toxic, corrosive, flammable, 

radioactive) should not be vented into the payload bay. Safety should be 
achieved by "design to contain." 

q. Payload vents should not be propulsive. The location of vent 
ports should be located away from hot spots and should not impinge on any 
surface which may be sensitive to the venting material. 


Contamination, 

Fire, 

Injury/Illness 


3. 1 1.1.3 Lines, Tubing, and Hoses 

a. It is important that all pressure lines (fixed or flexible) be 
properly clamped and supported to minimize flexing, chafing, abrasion, and 
strain which could lead to line leakage or rupture and to restrain the line if 
rupture does occur. 

The following criteria for clamping and supporting pressure lines or hoses 
should be considered for applicability to individual designs: 

(1) System components should be supported by firm structure 
rather than by connecting tubing. 

(2) All lines used in fixed applications should be independently 
clamped or supported. 

(3) Clamps and supports should not restrict thermal expansion 
and contraction of the lines and should protect against damage from 
mechanical stress and vibration. 
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3. II. 1.3 Lines, Tubing, and Hoses 

(4) All rigid lines should be supported as close as possible to 
each bend in the line. 

(5) Flexible hoses should have a maximum slack allowance of 5 
percent of the total length. 

(6) Flexible hoses should have hose restraints connected across 
the hose connections and should be secured to the structural members. 


(7) Flexible hose restraints should be at least 50 percent 
stronger than the calculated impact force on an open line (under maximum 
operating pressure) moving through the flexure distance of the restraint. 

(8) A protective coating should be provided as an integral part 
of each flexible hose to preclude damage from abrasion or chafing. 

(9) Welds and wall thicknesses should be verified for require- 
ment compliance by nondestructive tests. 

Contamination, b. When routing pressure lines, the following safety considerations 

Fire, Injury should be observed: 

(1) High pressure lines should not be routed through manned 
compartments. If this is unavoidable, a shutoff valve should be located in 
the line immediatley after it enters the compartment. 

(2) Where redundant fluid or gas lines are used, the redundant 
line should be separated as far as practical from the primary line. 

(3) Vent lines and pressure relief lines should be located so 
that escaping gas or liquid will not be hazardous to personnel or other 
equipment. 

(4) Fluid lines should be protected from freezing because of 
proximity to cryogenics or exposure to space. A thermostatically controlled 
heater is one method of protecting fluid lines from clogging. 

(5) Plumbing lines should not be routed over sensitive equip- 
ment to protect this equipment from leaks or condensed moisture during 
ground operations. 

(6) Locations of service points for filling, draining, purging, or 
bleeding pressure systems during ground operations should be external to the 
shuttle vehicle where practical and when the system contents constitute a 
hazard. 
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Lines, Tubinq, and Hoses (continued) 


Injury, 

Contamination 


Contamination 


Injury, 

Explosion 


Contamination 


Explosion, 
Contamination, 
Fire, Injury 


c. Pressure lines and flexible hoses should be shielded, located or 
otherwise protected to preclude use as hand-holds or foot-holds during 
ground or flight operations. 

d. It is usually advantageous from design, weight, and safety 
standpoints to use rigid type tubing in all applications except when 
vibration, relative motion, contraction, or expansion properties are unusually 
severe. Only in such cases should flexible hose construction be considered. 

e. All lines, including flexible hoses, should be clearly marked or 
coded to identify content, capacity, operating pressure, direction of flow, 
date of last proof test, and the required retest interval. 

f. In the design of flex hose routing, sharp bends or twists should be 
avoided. A minimum of five times the outside diameter of the hose is 
considered acceptable as a bend radius. 

g. In a complex plumbing installation, it is sometimes difficult for 
fabrication, assembly, and test personnel to know the direction of flow. It 
is, therefore, important to eliminate installation errors of fluid line 
components whose function is dependent on direction of flow. To minimize 
this possibility, the following design safety features should be considered. 

(1) When feasible, the design of direction sensitive fluid line 
components should incorporate end fittings or connections whose dimensions 
or configurations will not permit incorrect assembly/installation. 

(2) Where feasible, flow checks should be made after each 
installation or change. 

(3) The direction of fluid flow should be clearly indicated with 
permanent markings on the exterior of the various components and mating 
lines. 


Electrical Shockl 
Fire 


Fire, 

Contamination 


(4) Staggered fittings and different diameter lines are recom- 
mended ways to prevent cross-connecting lines. 

h. Lines, piping and components within each payload subsystem 
should be electrically bonded across each connection and should be grounded 
to reduce static electrical potential. 

i. When insulating liquid-carrying pressure lines, the insulating 
material should be nonabsorbent. 


Contamination 


j. A positive sealing capability should be provided at the quick 
disconnect in pressurized fluid and gas lines when these lines are 
disconnected. 
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3.1 1.1.3 Lines, Tubing, and Hoses (continued) 

Contamination 

k. Transfer lines, including double-walled lines, should be purged 

after the transfer of hazardous fluids and before breaking plumbing 
connections. 

Contamination 

1. Fluid lines that will be required to be disconnected or severed 

during payload deployment or separation from the spacecraft should include 
a check valve or shutoff valve on both sides of the severed point to prevent 
loss of fluid after disconnection has been made. The system should also be 
designed so that any line breakage resulting from failure of the disconnec- 
ting device to function will occur on the discarded side of the disconnect. 

Contamination 

m. In the design of liquid and gas systems, consideration should be 
given to leak testing after installation of the system has been completed. 


3.1 1.1.4 Connectors and Fittings 

Contamination, 
Fire, Explosion 

a. Connectors should be keyed, sized, or located so they cannot be 

cross-connected thereby minimizing the possibility of connecting incompat- 
ible gases, fluids or pressure levels. 

Contamination 

b. Connectors and fittings which will be disconnected either during 

ground or flight operations should be provided with tethered end plates, 
caps, plugs, or covers to protect the system from contamination or damage 
when not in use. 

Contamination 

c. Brazed and welded joints are preferred for joining pressure lines 

since these type joints are less susceptible to leakage problems. Brazed 
joints were successfully used on the Skylab Program. 

Corrosion 

d. Criteria for the choice of metallic fittings, sleeves, and 

connectors should include stress corrosion resistance properties. 

Contamination 

e. Torque values for all threaded fittings and components should be 

clearly specified in the design, and special care should be taken to assure 
that assembly and installation personnel use these values. 

Corrosion 

f. B-nuts and sleeves made from 2014, 2017, 2024, and 7075 

aluminum alloys in the T4 or T 6 tempers, or type 303 stainless steel, should 
not be used because of susceptibility to stress corrosion and leakage. 


3.1 1.1.5 Filters 

Contamination 

a. Orifices, close tolerance valves, and contamination sensitive 

equipment in fluid systems should be adequately protected from contami- 
nants. If the system is designed for periodic flow reversal or the possibility 
exists that flow reversal could occur, both sides of these items should be 
protected. The use of properly sized and located filters is recommended for 
these applications. 
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Contamination 


Contamination 


Contamination 


Contamination 


3. 1 1.1.5 Filters (continued) 

b. Filter design should consider the peculiar demands imposed by 
orbital operations to remove weightless debris which under normal ground 
operations would naturally separate and be retained in sumps. 

c. Filters should be installed in pumps and compressor inlet lines to 
protect delicate or close tolerance components from contaminants. A 
differential pressure gage should be installed across such filters when an 
increase in pressure could become a hazard. 

d. As a cleanliness measure, all ground support equipment supplying 
liquids or gases to flight systems should have filters installed as the last 
components in each supply line. 

e. Where very close control is required or where a very low 
contamination level is to be maintained, filters should be placed downstream 
of each disconnect. 


Contamination 


Contamination 


f. Filter housings which must be removed from the system to 
replace filters are not recommended. This procedure merely adds to the 
possibility of further contamination and filter malfunction. 

g. Extreme care should be exercised by assembly, test, or flight 
personnel during any operation requiring opening a line between a device and 
its protective filter to ensure that additional contamination is not 
introduced. 


Seals and Gaskets 


Contamination, 

Corrosion 


Contamination 


Contamination 


a. The materials used for seals, gaskets, fittings, and lubricants 
should be compatible with the fluids and gases with which they will be used 
and should meet the cleanliness and contamination requirements of the 
system. (See section 3.8, MATERIALS, for materials selection guidelines). 

b. Where extra protection against leakage is desired or where seal 
damage or wear can be expected, the use of double seals should be 
considered if each seal can be verified separately and the seal material is 
compatible with the medium. If may also be desirable to provide seal 
replacement capability for such applications. 

c. Any deployable type payload using a fluid system fill and drain 
umbilical should incorporate a positive seal when the lines are disconnected 
during the deployment operations. The seal could be provided by a shutoff 
vaive located inboard of the payload disconnect. This would prevent 
draining or backflow of fluids into the payload bay once the line disconnect 
has been made. 








3. 1 1.1.7 Valves - General 

Explosion, Fire a. Valves for high pressure oxygen systems (3000 psi range) (211 

kg/cm^) should be slow opening and closing types. Fast operating valves in 
such high pressure oxygen systems could possibly result in the ignition of 
contaminants that may be present in the oxygen or trapped at the valve. 
Also valve components such as seats and seals should not contribute to the 
contamination of these high pressure systems. 

Contamination, b. It is not advisable to use soft-seated hand valves, especially 

Explosion upstream of regulators, or other contamination sensitive components in fluid 

systems. The tendency to overtorque valves by operating personnel could 
cause the soft seat to rupture, disintegrate, and contaminate downstream 
component devices. 

Contamination, c. It is recommended that flow restrictors, orifices, and similar 

Illness/Injury flow limiting devices be installed immediately downstream of any 
component which could fail open and exceed the flow or relief capacity of 
downstream elements or compartments. An example on Apollo was the 
placement of a flow restrictor downstream of the high pressure oxygen 
regulator valve to protect the crew cabin from overpressurization should the 
regulator fail open. It is also recommended that flow restrictors or orifices 
should not be located in a system vent or pressure relief line. 

Explosion, Fire d. Restriction orifices should only be used for pressure regulation 

under dynamic flow conditions since under static flow conditions the 
pressure would be equal across the orifice, and the downstream system 
would no longer be protected from the source pressure. 

Explosion e. Valves should be designed to minimize the generation of shock 

waves and sudden pressure surges or sudden changes in flow. 

Contamination, f. Valves or similar components that could be operated out of 

Fire sequence should be provided with interlocks so that flammable or toxic 

fluids cannot be introduced into a habitable area of the spacecraft. 

Contamination, g. To prevent inadvertent operation of hand operated valves, 

Fire locking pins or similar devices should be included in the design of these type 

valves. In addition, manually operated valves should not be used to bypass 
pressure regulators or other flow control devices. 
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Pressure Relief Valves 


Explosion, 

Contamination 


Contamination 


a. Pressure relief valves should be designed to protect against a 
pressure regulator's being stuck or failed in the full open position. The 
particular relief valve should be sized to exceed the maximum flow 
capabiltiy of its upstream pressure regulator. This capacity is necessary to 
protect the overall pressure system from further malfunction, system 
overpressure and possible rupture. 

b. To protect the low side of a pressure system from the effects of 
pressure regulation malfunction, the following relief valve settings should be 
maintained: 


Explosion 


Explosion 


Explosion, 

Contamination 


Explosion, 

Contamination 


(1) The initial opening of system relief valves should be set in 
accordance with the hazard potential of the pressurized system. 

(2) Any relief valve initial opening setting should never be 
higher than the proof pressure level of the protected system. 

c. In the design of sealed panels, consoles, or similar enclosures 
which contain liquid or gas system components, consideration should be 
given to the use of pressure relief devices. 

d. Where relief valves and burst discs are used in combination, the 
relief valves should be located upstream of burst discs. 

e. System relief devices should be clearly marked to indicate 
system function, flow direction, operating pressure setting, latest test data 
and retest requirement interval. 

f. When pressure vessels are protected by pressure relief devices, 
flow restrictors should be used when the rate of pressure relief constitutes a 
potential hazard. 

3.1 1.1.9 Pressure Requlators 


Contamination, 

Explosion 


Explosion, 

Contamination 


a. It is recommended that pressure regulators for step regulation be 
sized to operate in the center 50 percent of their total ranges. Regulators 
operating at the extreme ends of their operating ranges tend to creep and 
become inaccurate. 

b. The maximum operating pressure setting of a regulator should 
not be greater than 75 percent of its maximum pressure regulation 
capability. 
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Contamination 


Contamination, 

Explosion 


Contamination, 

Explosion 


Contamination, 
Fire, Explosion 


Explosion, 

Contamination 


Contamination 


Contamination 


Contamination 


Explosion 


3.11.1.9 Pressure Regulators (continued) 

c. If regulator input and output gages are used, they should be 
located as close as possible to the regulator for accuracy. 

d. Adjustable pressure regulation devices should be plainly marked 
to indicate the direction of pressure increase and decrease adjustment, the 
range of pressure control, latest test data, and retest requirement interval. 

e. The operating characteristics of pressure regulator valves should 
consider the pressure sensitivity of the downstream components to 
fluctuation or interruption of flow. 

3. 11. 1. 10 Shutoff Valves 

a. Isolation shutoff valves should be installed in each leg of multiple 
systems, experiments, or payloads which are supplied from a common liquid 
or gas pressure source. In this way, any branch of the overall manifolded 
pressure supply system can be isolated from the others if a failure in that 
branch occurs. These valves could also be used for independent control over 
liquids, gases or vacuum being supplied to each experiment or subsystem 
during test and checkout operations. 

b. Shutoff valves should never be used in series with relief valves 
unless a burst disc or some other positive relief device is installed to bypass 
the shutoff valve. 

c. Shutoff valves should be used at reservoirs and storage vessels if 
maintenance is required. 

3. II. 1. 1 I Check Valves 

a. Check valves are not intended to be used as shutoff valves and 
should not be considered as safety protection against the migration of 
hazardous vapors or gases. 

b. Check valves with soft seats should not be tested to higher 
pressures than the intended design pressure. The seat could later crack 
and/or disintegrate and could contaminate system elements or destroy the 
design purpose of the valve. 

3.11. 1.12 Pressure Sensing and Monitoring 

a. A pressure sensing device should be installed on the low side of 
pressure regulators, at pressure vessels, and at any point in a pressurized 
system where an upstream overpressure malfunction could exceed the 
maximum allowable system pressure. 
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Explosion, 

Contamination, 

Injury 
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3. II. 1.12 Pressure Sensing and Monitoring (continued) 

b. If a pressure regulation failure or malfunction can be injurious to 
the crew or the mission, the payload designer should ensure that a pressure 
readout is readily visible to the crew. An audible warning device should also 
be provided which will actuate at a predetermined pressure level allowing 
time for corrective action. 


Injury/lllness, 

Contamination 


Injury 


c. Direct readout pressure gages should be avoided since it is 
undesirable to route pressurized lines inside inhabited areas. Pressure 
transducers or other electrical devices should be used for pressure 
instrumentation. 

d. One consideration in the design of pressure systems is the 
arrangement of components to allow operation and surveillance from a 
common point that is relatively safe for personnel. For example, an 
operator of a high pressure system should not have to leave a remote control 
station to observe and monitor the system pressures. Valves should be 
remotely controlled where possible, and maintenance should not be required 
when the system is pressurized. 

3.11.2 Flight Operations 
None 

3.11.3 Ground Operations 

3. 1 1.3.1 Test and Checkout 

Explosion, a. Prior to installation in a system, pressure vessels, accumulators, 

Collision fabricated tubing, valves, flexible hoses, and filters should be proof tested to 

ensure their withstanding internal test pressures higher than design 
operating pressures without failure or structural deformation. Test fluids 
should be analyzed for compatibility with the pressure vessel materials used. 
For example, some fluids can accelerate stress corrosion. 

Explosion, b. Flydrostatic testing is a relatively safer and more reliable 

Collision, Injury method of system testing than pneumatic proof testing because of the higher 
stored energy contained in a compressed gas. Even though liquids are 
generally considered noncompressible and are safer to handle than gases, 
they do store up energy; therefore, hydrostatic tests must also be considered 
hazardous. 


[Explosion, 

(Contamination 


c. Pressure system elements that have been modified, damaged, 
repaired, or disturbed should be retested and/or requalified as applicable. 
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Test and Checkout (continued) 


Contamination 


Explosion, Fire 


d. The total number of proof tests to be allowed on each flight 
operational pressure vessel should be stated as part of the design data. A 
history of such proof tests should be maintained since an excessive number 
of proof tests would constitute fatigue cycling which could seriously affect 
the safety and service life of these pressure vessels. 

e. During "no-yield" proof testing, no permanent deformation of 
tanks or plumbing alignment should be allowed. Any elastic deformation 
should be measured during these tests for assurance against abrasive chafing 
of such pressure vessels and plumbing against adjacent structure during later 
ground and flight operations. 

f. Components that have been pressurized at or near their 
calculated burst or ultimate pressure limits should have no subsequent use 
other than test. These components should be marked conspicuously and 
permanently to warn of explosion hazards if pressurized. 

g. Payload pressurized systems containing hazardous fluids should 
have an inert gas leak check, under full operating pressure, prior to 
installation into the orbiter payload bay. Consideration should be given to 
performing a helium gas low pressure leak test after installation in the 
payload bay and before propellant loading of the shuttle or other STS 
elements. This check will assure that leakage rates are acceptable after 
transport and installation operations. 

h. All hazardous payload effluents vented during ground servicing or 
deservicing should be contained at the shuttle vehicle and later returned to a 
safe facility disposal area. The presence of free combustibles or oxidizer 
vapors in the vicinity of the shuttle vehicle and launch pad could create a 
fire or explosion hazard. 

3.11.3.2 Transfer and Transport 


Fire, 

Contamination, 

Explosion 


a. The handling and transfer of mutually reactive or incompatible 
fluids should include the following safety practices to protect the operating 
personnel from potential hazards such as fire, explosion, or release of toxic 
and corrosive fluids: 


(1) Reactive fluids should not be handled or transferred 
simultaneously, or the entire system should be completely separated to 
prevent accidental mixing. 

(2) After fluid transfer, the transfer lines should be purged to 
neutralize the potentially hazardous effects of trapped or residual fluids. 

(3) Design of fluid systems should prevent the possibility of 
interconnecting incompatible systems. 
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.2 Transfer and Transport (continued) 


(4) Procedures should be developed to purge cleaning agents 
from the fluid system. 

(5) Cleaning agents must be compatible with the fluid system 
with which they are used, 

(6) Fluid systems should be identified by function, commodity, 
pressure limits, and direction of flow. 

(7) Parameters such as pressure and temperature should be 
monitored throughout fluid transfer or transportation periods. 
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3.12 PROPULSION 

System Description .- On certain deployed payloads, propulsion systems are required. The 
propulsion system functions would include thrust for translation of the payload into orbit that 
the STS cannot attain, attitude control, scientific platform stabilization or rotation for pointing 
control, and translation maneuvers to accomplish rendezvous during retrieval operations. The 
types of propulsion systems (liquid or solid), the propellant combinations (mono-, hypergol, 
cryogen, etc.), the propellant feed pressure system, the start system (cartridge, tank head, or 
pressure bottle) are tailored to the particular mission requirements to accomplish scientific 
objectives. Other influencing factors in the selection of propulsion systems are performance, 
safety, cost, and compatibility with the STS. 

The hardware elements of liquid or solid propulsion systems are designed to contain, pressurize, 
relieve, deliver, mix, and exhaust the propellants in a controlled manner to produce thrust. 

In addition to controls and monitoring electronic equipment, propulsion system elements will 
generally include: 


Liquid Propulsion 

Injector and manifold 
Combustion chamber 
Gimbals and actuators 
Nozzle and extension 
Turbopumps 
Gas generator 
Start cartridge 
Propellant tanks 
Control valves and plumbing 


Solid Propulsion 

Motor case 

Nozzle and extension 

Gimbals and actuators 

Propellant grain 

Ignitor/initiator 

Thrust termination devices 


Associated Hazards .- The hazards of transporting propulsion systems in the cargo bay of the 
orbiter are primarily associated with the propellants and pressurants since these are the primary 
sources of energy for these systems. The main concern is the potential for ignition of free 
propellants in the orbiter bay and the resultant damage that would be sustained from fire or 
explosion. Contamination, toxicity, and corrosion are also items of concern for some 
propellants even if ignition does not occur. 


The safety emphasis is to assure that propulsion system propellants do not leak and are not 
ejected or vented from their containers into the payload bay. It is also important to avoid the 
presence of ignition sources in the payload bay if propellants do escape. The inert nitrogen gas 
purge of the cargo bay while the orbiter and payloads are on the launch pad in a serviced 
condition will limit fire and explosion potentials. The safety of ground personnel is also a 
concern during the handling, servicing, and installation activities of ground operations 
associated with payloads with propulsion systems. Flammability and toxicity properties of some 
propellants are presented in table 3. 1 2-11. 


The following safety guidelines can be tailored for specific payload propulsion system 
applications and indicate possible ways to eliminate or minimize the effects of the hazards. 
These guidelines generally cover those design and operational elements which are unique to 
propulsion. Other subsystem guideline sections which are related to propulsion and which should 
be reviewed for additional safety criteria applicable to propulsion systems include sections 3.13, 
PYROTECHNICS, and 3.11, PRESSURE SYSTEMS. 




FLAMMABILITY LIMIT 
(% IN AIR BY VOLUME) 


^68°F(20OC) 

#68°F (20°C) 

6.7 

36.0 



Oil or in® 
Trifluoride 


Ethylene Oxide 


Fluorine 



Hydrocarbon 

Fuels 


Liquid Hydrogen I Fuel 


Hydrogen Oxidant 

Peroxide 90% Monopro- 


Monomethyl- 

hydrazine 


Fuming Nitric Oxidant 

Acid 


Reacts vigorously with most 
known materials, including 
water 


Flammable up to 100% vapor 
concentration 


React vigorously with moct 
known materials, including 
water 


Flammable up to 100% vapor 
concentration 


Flammable, sensitive to 
mechanical shock when 
mixed with oxidants 


Highly toxic; corrosive, 
burns skin and eyes 



Highly toxic, corrosive, 
bums skin ond eyes 


Toxic, bums tissues 


g>6S°F(20°C) 0 68°F (200c) 
3.3 19.0 


^ 68°F (20°C) 
16.3 


@68°F(20°C) g>68> (20°C) 
2.0 11.8 


Data classified 
(see AFM 161-30) 


Vapor explosive when 
mixed with air 


More reactive than 
fluorine 


8»135°F(57°C] % 135 0 F(57°d 
3.6 100.0 


Gos and liquid ignite 
most materials. 


Nitrogen 
Tetr oxide 


Oxidant 


Liquid Oxygen I Oxidont 



Flammable between 2.5% and 
89% vapor concentration 


Nonflammable but supports 
combustion 


Nonflammable but supports 
combustion 


Nonflammable but supports 
combustion vigorously 


Toxic, corrosive, couses 
severe burns 


Toxic, corrosive, burns 
skin and eyes 


Nontoxic, causes 
freeze "burns" 


Not applicable 


0.50 \! @1 atm @\ atm 

2.5 92 to 98 


Not applicable 


Not applicable 


Not applicable 



None ot std. 
otmospheres 


Perchloryl 

Fluoride 


Flammable and 
pyrophoric 


Nonflammable but supports 
combustion 



0.0050 

Sudden exposure of 
even small quantities 
of liquid to air will 


result in explosion. 



Flammable, hypergolic with Toxic, irritating to 

some oxidants skin and eyes 


f/ Ports Per Million (PPM) 

2/ See Table 44 , Page 131, Bulletin 503, Bureau of Mines, Limits of Flammability of Gases and Vapors 
3/ TLV not established, value is approximated. 



atm & 77°F 
2.3 (25°C) 
@302°F(150°C) 

1.8 (app) 





































































































































3.12-4 


PAYLOA 


SECTION NO. 




PROPULSION 


GUIDELINES 


Collision, 
Explosion, Fire 


Explosion, Fire 


Explosion 


Explosion 


Explosion, 
Corrosion, Fire 

Fire, 

Contamination 

Fire, 

Contamination 


Explosion, Fire, 
Corrosion 


Explosion, Fire, 
lati 



3.12.1 Design 

3.12. 1. 1 SRP (Solid Rocket Propulsion) 

a. Safe and arm devices used on SRP should be equipped with 
positive sating capabilities during all installation and checkout operations. 

b. After an SRP system is installed in the orbiter payload bay, 
status of safety critical functions should be displayed to provide warning of 
unsafe conditions. 

c. Certain weather seals are removed prior to launch while others 
are left in place at motor ignition. Seals which are not removed should be 
designed so that they will rupture at motor ignition without leaving 
remnants that affect flow or pressure. 

d. The SRP should be grounded to all other related spacecraft 
hardware to prevent electrostatic charge buildup or a difference in potential 
for any reason. 

3.12.1.2 Liquid Rocket Propulsion 

a. Cleanliness requirements for propulsion propellant lines should be 
established, monitored, and controlled. Some propellants react explosively 
with contaminants. 

b. Closed systems and compartments containing propellants should 
be capable of in-flight venting through use of the orbiter-provided vent 
system or should be designed to withstand maximum allowable system 
pressure. 

c. Construction materials for payload propulsion systems should be 
compatible with the type of propellant used. 

d. Nonabsorbent insulation should be used where propellant systems 
require thermal protection from engine heat or cold environment. 

e. Insulation should be inspected for presence of absorbed propel- 
lants or other system fluids, and the payload should not be installed in the 
orbiter if vapors are detected. 

3.12.1.3 Tankage 

a. Pressurization of propellants should be accomplished as late as 
possible (i.e., after deployment where practical) to maintain the payload 
propulsion system in a relatively passive state while in the orbiter cargo bay. 

b. Tank filler openings should be located so that when in a one 
gravity environment, leaking, loose, or unfastened caps will not allow 
propellants to drain into the cargo compartment. 
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PROPULSION 


Explosion, Fire 


Explosion, Fire 


Collision 


Explosion, Fire, 
Contamination 

Contamination, 
Fire, Explosion 


Explosion, Fire 


Explosion, Fire, 
Corrosion 

Explosion, Fire, 
Contamination 

Explosion, Fire 


Explosion, Fire, 
Contamination 


3.12.1.3 Tankage (continued) 

c. Structural stability of payload propellant tanks should not be 
dependent upon tank pressurization. Loss of pressure and subsequent 
structural collapse of a propellant tank in the orbiter payload bay could be 
catastrophic. 

d. Common bulkheads between fuel and oxidizer tanks of hypergolic 
propellants should be avoided. Also, hypergolic fuels and oxidizers should 
not be separated by a single weld. 

e. Payload propellant tanks should be oriented within the cargo bay 
for maximum protection from rupture during a crashlanding of the orbiter. 

3.12.1.4 Plumbing (Fill, Drain, Vent) 

a. Dumping, venting, and relief of payload propellants and 
pressurants should be thrust neutralized to preclude rotational or 
translational velocities of the payload while in the vicinity of the orbiter. 

b. Propellant or pressurant lines should not be used to support other 
components. 

c. Propellant dump openings should be designed so that there can be 
no impingement on the payload nor reentry of flammable or corrosive fluids 
or vapors into the payload. 

d. The payload propellant fill, drain, and vent interface with the 
orbiter should permit main propulsion system propellant loading and 
replenishing, venting, and emergency detanking with the cargo bay doors 
closed and latched in a safe mode for launch. 

e. Payload propellant lines should be protected from excessive 
deflection due to the vibrations or accelerations of the space shuttle. 

f. Absorbent insulative materials should not be used on lines and 
components containing reactive fluids. 

g. Mutually reactive fluids and vapors should not be vented or 
relieved through the same exhaust ducts. 

h. Where practical, redundancy should be designed into propellant 
fluid systems to protect against hazardous fluid leakage. 

i. Fluid systems should be identified by function, fluid, pressure, 
and direction of flow to reduce the potential for hazardous maintenance or 
servicing actions. 
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3.12.1.5 Control and Monitor 

Explosion, Fire, 
Contamination 

a. No single valve operation should result in flow of propellant 

through a payload propulsion system while it is in the orbiter cargo bay. 

Explosion, Fire, 
Collision 

b. A minimum of two discrete and separate command and control 

events should be provided to initiate opening of propellant flow control 
valves. 

Explosion, Fire, 
Contamination 

c. Capability should be provided to determine payload propulsion 

system start sequence logic status and valve positions. 

Explosion, Fire 

d. Payload valve actuation should not be initiated by flight or 

crashlanding loads. 

Explosion, Fire, 
Contamination 

e. If common bulkheads are necessary, simultaneous pressurization 

of propellant tanks should be performed to avoid hazardous differential 
pressures. 

Explosion, Fire 

f. During on-orbit operations, propellant pressurization of the 

payload propulsion systems should be accomplished after deployment. 

Collision 

g. Gimbal positions should be monitored and interlocks provided to 

inhibit firing of a hard-over gimbalied engine. 

Explosion, Fire, 
Collision 

h. Consideration should be given to instrumenting payload 

propulsion systems to indicate when established system parameters limits 
have been exceeded. 


Collision i. Sequential commands for pa/load attitude hold and main engine 

ignition should be remotely controlled by the orbiter crew or ground control. 
Interlocks should be provided to prevent out-of-sequence operation. 

Explosion j. Payload propulsion system electronic equipment that will be 

powered while in the orbiter payload bay or which operates in closed 
compartments with propellant lines and components should be explosion 
proof. 

Contamination, k. Payloads with thrusting capability should be designed with 

Explosion positive engine isolation capability to insure that "failed-on" or leaking 

engines can be isolated. 
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Explosion, Fire 


Explosion, Fire, 
Contamination, 
Corrosion, 
Injury 


Explosion, Fire, 
Contamination, 
Corrosion, 
Injury 


Explosion, Fire, 
Contamination, 
Corrosion, 
Injury 
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3.12.1.6 Liquid Propellants 

a. Equipment, tanks, transfer lines, and other equipment which can 
transmit sparks or generate static electricity charges should be properly 
grounded to prevent the ignition of fuel/ propellant. 

b. Propellant transfer systems should be arranged and connected to 
permit safe and systematic transfer of propellants without loss or 
contamination. Pumps, valves, and lines should be sized to provide efficient 
transfer without excessive pressure loss. Construction materials, fabrica- 
tion methods, and cleaning procedures should be adequate for extended 
service with the specific propellant. System components should be 
adequately and rigidly supported with allowance for temperature changes. 

c. The hazardous characteristics of each propellant should be 
documented for the benefit of personnel who may service or work with the 
payload propellant system. Characteristics to be established include: 

(1) Threshold limits of toxicity (maximum allowable 

concentration). 

(2) Degree of toxicity and irritation. 

(3) Flammability limits in air. 

(4) Fire extinguishing agents. 

(5) Decontamination agents and procedures. 

(6) Symptoms of exposure. 

(7) Initial countermeasures and first aid for exposure. 

(8) Sensitivity to shock and heat. 

(9) Reaction sensitivity to contamination. 

(10) Purge gases and procedures. 

d. Propellant spills present both contamination and fire hazards. 
Prevention of spills should be a most important consideration. Some 
preventive design criteria that should be incorporated into the system are: 

(1) Only construction materials known to be compatible with 
the propellant should be employed. 

(2) The number of mechanical joints should be reduced to a 
minimum to reduce the probability of propellant or pressurant leakage. 
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3.12.1.6 Liquid Propellants (continued) 

(3) The system should be designed to withstand safely the 
maximum operating pressures plus a safety margin. 

(4) The transfer lines should be free from liquid traps. 

(5) An inert gas system should be provided to purge and drain 
the transfer system without the necessity of dumping residual propellant or 
disconnecting any system joints. 

(6) The valves, gaskets, and instruments used on the system 
should be reliable, compatible with the propellant, and should be properly 
serviced. 

(7) Sufficient control equipment should be provided to isolate 
portions of the system and to secure transfer equipment for emergencies or 
component replacement. Remotely controlled equipment should be designed 
to be fail-safe. 

(8) An inert gaseous blanketing system should be provided to 
prevent air from contacting propellant. 

(9) The transfer and storage system should be grounded to 
prevent the buildup of static electricity. 

3.12.2 Flight Operations 

a. The payload propulsion system should not be electrically enabled 

or mechanically armed while in the orbiter payload bay. 

b. . A payload propulsion system (excluding attitude control) should 
be enabled or armed by RF or onboard computer command after a "safe 
distance" from the orbiter has been achieved. Safe distance should be 
computed so that no inadvertent or off-nominal operation or failure of the 
propulsion stage would result in collision with the orbiter or its being struck 
by the debris of an explosion. 

c. Where practical, propulsion payloads should be oriented, 

mounted, and secured in the cargo bay in a manner to minimize orbiter- 
induced shock and vibration that could initiate propellant flow or engine 
start. 

d. Flot gas propulsion and attitude control should not be used for the 
initial separation of the payload to a safe distance from the orbiter. 








3. 1 2.2 Flight Operations (continued) 


Explosion, Fire, e. Propellant system safety critical functions should be rendered 

Contamination, safe before recovery of a deployed payload is attempted. This should 

Collision, include remotely commanding all safe and arm devices to "safe," removing 

Corrosion power from electrical systems serving safety critical functions or removing 

power from electrical circuits in the upper stage. 

3.12.3 Ground Operations 

3.12.3.1 General 

Explosion, Fire, a. Properly trained personnel are required to handle propellants 

Contamination safely. Operating personnel should be thoroughly familiar wifh the 
following: 

(1) The properties of the propellant. 

(2) Operation of the transfer and storage system. 

(3) Toxicity and physiological effects of the propellant. 

(4) Operation and use of the safety equipment. 

(5) Fire and spill prevention techniques. 

(6) Fire and spill control measures. 

Explosion, Fire, b. Detailed procedures with "Caution" and "Warning" notations for 

Contamination, loading, handling, and draining propellants should be provided for prelaunch 
Corrosion and postianding activities. 

Collision, c. Solid rocket propulsion initiator and ignitor items should not be 

Explosion, installed during ground handling, transport, and storage operations. 

Fire, Injury Installation should be at the latest feasible point during ground preparations 

for launch. 

Explosion, Fire d. The propellant system should be provided with static electricity 

protection during ground servicing. 

Explosion e. Buildings which house equipment for handling propellants should 

be well ventilated to prevent accumulation of vapors. 

Collision, Injury f. Consideration should be given to the use of thrust neutralizers 

during hazardous ground handling, transporting, and storage of SRP systems. 
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Test and Checkout 


Explosion, Fire, 
Injury 


a. Adequate proof pressure and leak testing of payload propulsion 
systems and their ground servicing equipment should be conducted before 
servicing operations at the launch site are performed. 


Explosion, F'nre, 
Contamination 


b. An inert gas low pressure leak check of payload propulsion fluid 
systems should be conducted after payload installation into the cargo bay 
and before propellant loading. 


Explosion, Fire, 
Injury 


c. Safe pressures, temperatures, and other parameters which 
indicate the status of hazardous payload fluids should be verified before 
handling, transport, or installation and checkout operations begin. 


Collision, 

Injury 


d. Periodic proof-load certification of slings, hoists, lifting and 
handling fixtures, and transporting equipment should be conducted to assure 
the equipment is in safe operating order. 
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3.13 PYROTECHNICS 

System Description .- Aerospace pyrotechnic devices consist of gas generators, detonators, start 
cartridges, explosive or frangible bolts and nuts, rocket motors, destruct systems, control 
elements, emergency flow control valves, etc. Functional applications for pyrotechnic devices 
continue to evolve. Payloads will have many applications for pyrotechnics. Some of the more 
obvious are tank pressurization valves, emergency dump valves, separation systems, and gas- 
operated deployment, retrieval and tiedown mechanisms. 

Pyrotechnic systems contain many elements that control and monitor the functional devices. 
Control elements include switches, initiators, ignitors, logic circuits, firing circuits, and power 
supplies (usually separate dedicated batteries) with arm/disarm capability, and safe and arm 
mechanisms. Monitor elements include circuit continuity test capability, safe and arm 
mechanism position indicators, safety pin streamers, and payload system measured parameters 
that indicate the functional status of the device. 

Pyrotechnics are initiated by activation of a fire switch after all prerequisite event interlock 
contacts have been closed and the necessary mechanical and electrical arming events have been 
accomplished. At fire switch activation, a low level electrical pulse progresses from the 
electrical power source through the firing circuit to the initiator bridgewire. The bridgewire 
heats and initiates the explosive train. There are many types of explosive trains. A common 
type uses explosives of progressively higher thermal energy output to reach the ignition 
temperature of the final pyrotechnic charge. This final charge is designed to accomplish the 
pyrotechnic function, whether it is ignition of a solid rocket motor, extension of a solar array 
by a gas-driven actuator, or separation of a bolt by explosion. 

Payload pyrotechnic functions will normally be controlled through an electrical interface with 
the STS or directly from ground control. Firing commands and measurements may be 
telemetered from and to the STS or ground control, and they may be hardwired from and to the 
orbiter payload control console and caution and warning system if provided. The sensitivity of 
payload pyrotechnic devices to stray electrical energy, temperature, vibration, and shock of the 
STS environment should also be a design consideration. 

Pyrotechnic devices may control structural, electrical, or fluid interfaces between payloads 
and the STS. Tiedowns may be severed by explosive bolts in an emergency mode (i.e., backup to 
electromechanical separation). Electrical interfaces may be guillotined. Fluid interfaces may 
be opened for emergency dumping or may be shutoff and severed for payload jettisoning. 

To take advantage of previous experience, JSC 08060A, "Space Shuttle System Pyrotechnic 
Specification," has been established and applies to all pyrotechnics in the space shuttle, to all 
NASA Centers with shuttle responsibilities, and their contractors or suppliers. JSC 08060A 
contains a "Shuttle Preferred Pyrotechnic Items List" which describes specific devices that have 
proven successful in previous programs. These devices meet the current shuttle requirements. 

The NSI (NASA standard initiator) which is a new designator for the earlier SBASI (single 
bridgewire Apollo standard initiator) used on the Apollo and Skylab Programs and Apollo Soyuz 
Test Project will be supplied as GFE (Government-furnished equipment) by NASA JSC to all STS 
users. NASA has concluded that the NSI can satisfy 90 to 95 percent of the STS requirements. 
In addition, the PIC (pyrotechnic initiator controller) used to safe, arm, and fire the NSI has 
been standardized throughout the shuttle vehicle and should be used for payload applications 
where practicable. 

There are two GSE (ground support equipment) items that are common and will be supplied as 
GFE by NASA JSC. These items are (I) the NSI firing unit which simulates the firing of the PIC 
and (2) the initiator resistance measuring equipment which is a special digital ohmmeter used 
for NSI acceptance and preinstallation tests. 
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Associated Hazards .- The general hazards associated with the accidental release of the 

explosive, propulsive, or thermal energy of pyrotechnic devices are well recognized. Individual 
safety analyses are required to determine the hazards of premature pyrotechnic events during 
progressive phases of the mission or the effects of failure to function when required. 
Premature performance or nonperformance of pyrotechnic functions can be critical to personnel 
survival and the preservation of the system. 

Premature extension of a payload antenna or solar array in the cargo bay of the orbiter could 
injure personnel during ground operations. While on orbit, premature extension could inflict 
sufficient damage to the orbiter cargo door or the thermal protection system to render the 
orbiter unsafe for entry. 

Failure of a propellant dump system to function in an emergency could increase the hazard of 
an abort or crashlanding because of the retention of significant amounts of propellants onboard 
during the emergency. 

Most hazards of premature or accidental activation are created by procedural or human error, 
stray electromagnetic energy from peripheral equipment, or the environment. Sequential event 
interlocks, electrical arm/disarm firing circuit interrupts, and mechanical safe and arm devices 
can be used to preclude a single failure from inadvertently initiating pyrotechnic events. 

The evolution of pyrotechnic device design, manufacturing, and testing practices has resulted in 
exceptional reliability of pyrotechnic systems to function when commanded. When the 
redundancies usually incorporated in aerospace pyrotechnic systems are included, the 
probability of their performing when required has been historically high. When a nonignition 
failure does occur, it can usually be traced to failure to receive an electrical command. Lesser 
contributors to nonperformance of qualified pyrotechnic items are out-of-control processing or 
excessive environmental exposure. 

The following section presents pyrotechnic safety design and operational guidelines that have 
been developed during years of aerospace experience. It is also suggested that the JSC listing 
of NASA-preferred pyrotechnic devices that are qualified for certain applications be reviewed 
by payload designers. This review could identify off-the-shelf devices for some payload 
applications that are already designed and qualified. 
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3.13.1 Design 

3. 1 3.1. 1 General 

Loss of Entry a. Safety critical pyrotechnic functions should have redundant 

Capability sequence logic and firing circuits through dual initiators so that no single 

electrical, mechanical, or chemical failure would prevent circuit operation. 


Explosion, b. Pyrotechnic device installations should be designed for ease of 

Collision access, arming, sating, and removal. 

Explosion, c. Pyrotechnic devices should be located within the system away 

Temperature from thermal zones that may approach the devices' safe-temperature limits. 
Extremes, Where avoidance of excessive temperature zones is impossible, thermal 

Injury insulation and heat sinks should be used to control the temperature within 

safe limits for the pyrotechnic device. 

Explosion d. Pyrotechnic devices should be designed so that the metal 

exterior can be electrically bonded to vehicle structure. 

Loss of Entry e. Pyrotechnic units that are not intended for flight use should be 

Capability color coded for conspicuous identification. 

Explosion, f. The access, electrical circuitry, and test points of pyrotechnic 

Collision units should be clearly marked in a distinctive manner. 

Explosion, g. Pyrotechnic device explosive or propellant filled volumes should 

Collision be designed to allow verification of content by neutron ray inspection or by 

other nondestructive test methods. 

Explosion, h. Pyrotechnic devices should be hermetically sealed to protect the 

Contamination propellants and explosives from moisture or evaporation. 

Explosion i. All pyrotechnic system threaded connections should be designed 

for positive locking for flight operations. 

Explosion, j. Pyrotechnic device housings should be designed to prevent debris 

Collision damage to interfacing equipment from fragments created by an explosion. 

Fire, k. Pyrotechnic exhaust products should be contained or controlled 

Contamination to prevent ignition or contamination of interfacing equipment. 

I. Magnesium should not be used in the fabrication of pyrotechnic 
devices as it creates an additional fire hazard. 


Fire 
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3.13.1.2 Destruct 

Should a waiver be granted to allow a payload to have self-destruct 
capability, the command/destruct circuitry and mechanical interruption of 
the explosive train should be sufficiently inhibited to ensure a capability to 
make the system inert on command from the arbiter or from ground control. 

3.13.1.3 Safe and Arm 


a. If a waiver has been granted for a destruct system, its safe and 
arm device should have a positive mechanical lock (i.e., safety pin) that 
prevents movement from the safe to the armed position. Removal of the 
safety pin should not cause the unit to arm. The safe and arm devices shall 
have positive indexing, and visual indication of the safe or armed position. 

b. Remote monitoring and local visual inspection capability should 
be available for determining the status of mechanical safe and arm devices. 

3.13.1 A Electrical Circuitry 

a. Deployable payload pyrotechnics should have the capability of 
being armed after safe distances from the STS are verified. 

b. Circuit breakers and activation switches used to arm and initiate 
pyrotechnic devices should be located, guarded, placarded, and procedurally 
protected to avoid inadvertent activation. 

c. The safe and arm device control and monitor circuits should be 
completely independent of the firing circuits with separate noninterchange- 
able electrical connectors. Arming and monitoring should not initiate 
pyrotechnics. 

d. There should be an arm and disarm interrupt of the firing circuit 
of pyrotechnic devices with remote control to either position to allow 
arming of pyrotechnics as late as possible in the mission sequence. 

e. The arm and disarm status of firing circuits and discrete 
indications of pyrotechnic events should have remote monitoring capability 
to provide warning of hazardous conditions. 

f. Firing sequence logic should receive power from a source other 
than the pyrotechnics batteries to avoid possibility of inadvertent arming 
and firing of pyrotechnic devices. 

g. Pyrotechnic firing circuits should be separated from other 
powered circuits to the maximum extent practical to avoid shorts between 
circuits that could fire the pyrotechnic device. 
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Explosion, 

Collision 


3.13.1.4 Electrical Circuitry (continued) 

h. Where separation of firing circuits from powered circuits through 
connectors is impractical, pin-to-pin and pin-to-case separation and electri- 
cal resistance should be maximized. 

i. Circuit and pin assignments within a connector should be such 
that any single short circuit occurring as a result of a bent pin will not allow 
current to be applied to the pyrotechnic subsystem circuit. 

j. The firing circuit disarm interrupt should be as close to the 
pyrotechnic device as possible to prevent antenna effects from energizing 
the circuit. 

k. Firing circuits should be of minimum length and should use 
twisted wire pairs to minimize receipt of stray electrical energy from other 
circuits, RF sources, or buildup of a static charge. 

l. Firing circuit shielding should be continuous from the power 
source to the case with no gaps. Shielding should be grounded to the payload 
structure at both ends where possible. 

m. The firing circuitry should be designed to protect the power 
supply from a power drain in the event the device short circuits upon 
activation. 

n. Pyrotechnic circuits should be isolated to prevent adverse 
effects from transients and ground loops. The firing circuit should have a 
separate return line to the power source for each initiator. 

3.13.1.5 Initiator Characteristics 


Explosion, a. The NSI or its equivalent should demonstrate a "no-fire" 

Collision, Injury threshold when one ampere of direct current or one watt of power is applied 
for 5 minutes. 


Loss of Entry 
Capability 

Explosion 


b. The "all-fire" reliability of the NSI or its equivalent should be 
demonstrated by test and analysis. 

c. Initiator pin-to-pin and pin-to-case resistance should be estab- 
lished to preclude shorts or static charge/discharge through the bridgewire. 
Compliance should be demonstrated by test and analysis. 

3.13. L6 Propellants 



a. Propellant-operated devices such as mortars, thrusters, and 
circuit interrupters should demonstrate a structural capability of firing in a 
locked-shut mode without fragmentation. 
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Propellants (continued) 


Contamination 


Explosion 


Loss of Entry 
Capability 


Explosion, 
Collision, Injury 


Explosion, 
Collision, Injury 


Explosion, 

Injury 

Explosion, 

Injury 

Explosion, 

Injury 


Explosion, 

Injury 


b. Solid propellant rocket motor or liquid rocket engine start 

cartridge nozzle weather seals that rupture or expel at motor ignition should 
not leave remnants that significantly alter the flow through the nozzle, 
affect the pressure in the chamber, or damage the turbine blades or nozzles. 

3.13.1.7 Explosives 

a. The number and types of high explosives should be minimized. 
HNS, HMX, and RDX are the preferred high-explosive materials (in that 
order) because of their thermal-vacuum characteristics and their relative 
insensitivity to shock. 

b. No splicing of LSC (linear shaped charges) or MDF (mild 
detonating fuse) should be allowed. This will eliminate one possibility for 
interrupting the explosive train. 

3.13.2 Flight Operations 

a. To reduce their susceptibility to inadvertent firing, pyrotechnics 
should be armed as near to the time of expected use as is practical without 
compromising reliability . 

b. To limit exposure to inadvertent firing, pyrotechnics should be 
disarmed promptly when they are no longer needed. 

3.13.3 Ground Operations 

3.13.3.1 General 

a. . Special clothing that is flame retardant, static free, and with 

grounding provisions should be used during pyrotechnic installation. 

b. Materials capable of generating static-charges should not be used 
for pyrotechnic item packing, shipping, or ground handling. 

c. The suppliers of pyrotechnic devices are responsible for obtaining 
the proper explosives classification and the regulations for packaging, 
shipping, and storage of explosives. The Space Shuttle System Pyrotechnic 
Specification, JSC 08060, provides the basis for control of all space shuttle 
pyrotechnics at the various levels of activity and should be considered for 
use by the payload developer. 

d. Pyrotechnic handling, installation, checkout, and test operations 
should be conducted by technically qualified personnel in accordance with 
approved detailed procedures. 
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Explosion, 

Injury 


e. When conducting operations involving pyrotechnics, the minimum 
number of personnel should be exposed to the smallest quantity of 
pyrotechnics for the shortest time consistent with safe operations. 


Explosion, 

Injury 


f. Procedures should be written for ground operations involving 
pyrotechnics. These should include specific safety precautions such as 
grounding requirements, number of personnel, required tools, and electrical 
checkout equipment. 


Explosion, 

Injury 


g. Safe and arm device safety pins should be marked with a 
streamer when installed. Removal of the safety pin should be as late as 
practical before launch. 

3.13.3.2 Installation 


Explosion, 

Injury 


a. RF silence should be established and maintained during installa- 
tion and electrical connection of pyrotechnics. 


Explosion, 

Injury 


b. Sensitive initiating elements should be installed in the system 
just prior to electrical hookup as late as possible before launch. 


Explosion, 

Injury 


c. Shielding caps should be installed on initiators during shipment, 
handling, and storage. The cap's outer shell should be conductive, provide an 
RF shield, and make a positive electrical contact with the case. The cap 
should not be closer to the pins than the pins are to the case. 

3.13.3.3 Test 


Explosion, 

Injury 


a. Continuity test equipment should not be capable of delivering 
sufficient current to initiate or degrade pyrotechnic devices. (Standard 
ohmmeters may be capable of providing sufficient current to initiate 
pyrotechnics.) 


Explosion 

Injury 


b. A hazardous-current test of pyrotechnic circuits should be 
conducted prior to making firing-circuit connections, and any residual 
current in the circuit should be eliminated before making the connection. 
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3.14 RADIATION 

S ystem Description .- On all previous manned space programs, the harmful effects of natural and 
artificial sources of radiation were minimized by careful attention to cabin and . equipment 
shielding design, limits to radiation sources allowed onboard, allowable crew exposure times, 
and accurate monitoring of radiation levels, it is of primary interest that such safe radiological 
controls be continued on the STS program and proposed payload elements. 

NASA implementation of NRC (Nuclear Regulatory Commission) rules and regulations requires 
that the use of radioactive sources in the payloads to be flown on the STS must be reviewed and 
approved by JSC. This approval process may be initiated by use of JSC form JSC-44 which may 
be obtained from the JSC Space Shuttle Program Office. For payloads using RTG's 
(radioisotope thermoelectric generators) such as SNAP (systems for nuclear auxiliary power) and 
similar devices, approval will involve procedures identified in the NASA ERDA (Energy 
Resources and Development Agency) Interagency Agreement I052.72A. 

There are various sources of ionizing radiation and electromagnetic interference type radiation 
which must be adequately controlled on payload elements to prevent damage to the shuttle 
spacecraft, other payload components or experiments, and the crew. Radiation-sensitive equip- 
ment includes ordnance system pyrotechnic circuits, communications, and orbiter control 
systems. Examples of potential payload radiation sources or devices include: 

1. RITE (radioisotope for thermal energy) fuel capsule. 

2. Isotope Brayton power conversion system using heat capsules containing radioactive 
material such as plutonium 238. 

3. Nuclear reactor power source. 

4. Radionuclide tracers, calibration, and check sources. 

5. X-ray emitters, particle accelerators, vidicons. 

6. Radar or communication antennas. 

7. Microwave generators. 

Lasers are another source of radiation; because they are optical devices, safety guidelines 
concerning these payload elements are enumerated in section 3.10, OPTICAL. 

Associated Hazards .- Payload radiation sources may significantly contribute to the radiation 
levels to which the crew of the orbiter may be exposed, and these should be shielded and con- 
trolled. Table 3. 1 4-11 1 shows the current radiation exposure limits established for flight 
crewmen. The limits presented in the table have been established by the Radiation Safety Panel 
for Manned Spaceflight and represent the total allowable radiation limits for the crew from all 
sources. As a general guide, individual payloads should be designed to a factor of one hundred 
below the limits presented in table 3. 14-111, and any requested deviations should be reviewed and 
evaluated on an individual basis. 
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TABLE 3. 1 4-MI.- RADIATION EXPOSURE LIMITS AND EXPOSURE RATE 

CONSTRAINTS FOR UNIT REFERENCE RISK* 


Constraints 

REM** 

Bone Marrow 
(5 cm) 

Skin 

(0.01 mm) 

Eye 
(3 cm) 

l-year average daily rate 

0.2 

0.6 

0.3 

30-day maximum 

25 

75 

37 

Quarterly maximum 

35 

105 

52 

Yearly maximum 

75 

225 

1 12 

Career 

400 

1200 

600 


*For details, see "Radiation Protection Guides and Constraints for Space Missions and Vehicle 
Design Studies Involving Nuclear Systems, Report of the Radiobiological Advisory Panel of the 
Committee on Space Medicine, Space Science Board, National Academy of Science, 1970." 

**REM (Roentgen equivalent man) REM is a unit of radiation dose equivalent. For details, see 
"International Commission on Radiation Protection," Publication No. 9, 1966. 

In addition to crew injury, the principle equipment oriented radiation damage considerations are 
bulk (crystal) damage and ionizing (surface) effects associated with semiconductor electronics, 
ionization effects in materials, and dynamic interference effects in sensors. The most sensitive 
components to bulk damage are light emitting diodes in solid state displays and high power 
semiconductors. Other radiation sensitive devices include grazing incidence X-ray telescopes, 
air-glow photometers, and nuclear gamma ray spectrometers for high energy stellar astronomy. 

Electromagnetic radiation, generated by the operation of radar equipment, induction heaters, or 
communications equipment, can be hazardous if it is of sufficient magnitude to affect the firing 
circuits of ordnance devices. It could also affect electronic control circuits, disrupt the 
transmission of data and other communication to and from ground stations, and be hazardous to 
personnel. 

The guidelines in this section deal with the handling, shielding, servicing and other means of 
limiting radiation sources such as radioisotopes and nuclear reactor power sources and 
radioactive materials such as paint and similar coatings. Electromagnetic and microwave 
sources of radiation are also covered. 

A report illustrative of guidelines and background for the design, control, and operation of 
ionizing radiological equipment is provided by the General Electric study 72SD420I completed 
in January 1972, titled "Manned Space Flight Nuclear System Safety." 
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3.14.1 


Design 


There are various and specific Government regulations regarding the use of 
major radioactive sources. The guidelines in subsection 3. 14. 1.1 deal with 
typically large radioactive sources and suggest design practices for safe 
utilization. The guidelines in subsection 3.14.1.2 cover typically small 
radioactive sources. The JSC Space Shuttle Program Office should be 
contacted for instructions and applicable requirements for safe usage and 
handling of all these materials. 

3. 1 4. 1 . 1 Ionizing Radiation Sources 

a. Isotope and reactor systems using liquid metal in heat transfer 
loops should be designed for safe handling and freedom from liquid metal 
loop leakage. Liquid metal reacts violently with water and moist air. To 
minimize the effects of this hazard, the following options should be 
considered: 

(1) Toxic, corrosive, or explosive coolants should be avoided 
where feasible. Power conversion systems featuring the Brayton cycle or 
the organic Rankine cycles permit relatively low temperature operation 
allowing the use of nonliquid metal coolants. 

(2) Double-walled containment of the liquid metal should be 
provided throughout the coolant loop. 

(3) An inert, dry gas blanket around the heat source should be 
used during all storage, transporting, and launch operations following 
assembly of isotope heat source components. 

(4) Liquid metal leak detection should be provided during all 
operational phases. 

b. Adequate blast overpressure, fragmentation, and fireball pro- 
tection should be provided to assure containment of all radioactive material 
if an accident occurs. 


Radiation 


c. Payloads containing reactor or isotope systems, tracers, X-rays, 
cathode ray tubes, radar, and other sources of ionizing radiation should be 
shielded, oriented, or otherwise limited to prevent exceeding crew radiation 
limits outlined in table 3. 14-111 and as controlled by the Radiation Safety 
Panel at JSC. 


Radiation 


d. Reactor and isotope systems should be instrumented to allow 
ground and flight crews to monitor radiation levels of critical elements and 
temperature and pressure of the primary heat transfer loop to detect 
leakage and thermal performance. 
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3. 14. 1.1 Ionizing Radiation Sources (continued) 

Radiation 

e. A redundant lockout circuit should be provided to prevent 

inadvertent activation of a nuclear system. 

Explosion 

f. A redundant automatic means of reactor shutdown should be 

provided to control operation under all contingencies. 

Radiation, 

Injury 

g. Direct visual or TV coverage should be provided during isotope/ 

component transfer to allow the ground or flight crews to see that the 
radioactive material is properly located and shielded. 

Radiation, 

Injury 

h. Equipment should be provided for locating radioactive material 

which has been inadvertently released in a manned area or module. 

Temperature 

Extremes, 

Injury 

i. The design of payload reactor coolant loops that use liquid metal 

as a primary coolant should not require breaking or opening during orbital 
operations because of the very high temperatures involved. 

Radiation 

j. Tracking and recovery-locating devices should be provided on 

nuclear payloads to facilitate land or water recovery if the payload is 
jettisoned. 

Radiation, 

Explosion, 

Injury 

k. A reactor jettison system capability should be provided with all 

nuclear payloads to protect the crew and vehicle. Safe procedures should 
also be established for the disposal of radioactive waste or radiation- 
contaminated material. 

Radiation, 

Explosion 

1. A positive and p ermanent shutdown system should be provided 

for malfunctioning reactors and for reactors which have completed their 
missions. 

Radiation, 

Injury 

m. Design of nuclear hardware should include intact reentry and 
impact to protect the general public from potentially dangerous radiation. 


3. 1 4. 1 .2 Radioactive Materials 

Radiation, 

Contamination, 

Injury 

a. The use of radioactive materials in spaceflight presents unique 

handling and contamination problems. It is recommended that any proposed 
use be carefully considered and that alternative approaches be evaluated 
where practical and economical. 

Radiation, 

Contamination 

b. Radioluminescent materials should have positive mechanical 

protection against abrasion, flaking, or direct crew contact. Radioactive 
paints used for illuminating panel instrument nomenclatures should be 
avoided. The deposited energy from radioactive material will eventually 
break the paint bond releasing particles into the atmosphere where they 
could be ingested by the crew or lodge in their eyes. 
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3.14.1.2 Radioactive Materials (continued) 

c. Where radioluminescent material best satisfies system 

requirements, the following precautions should be taken: 


(1) Each proposed use of radioluminescent material should be 
approved through the JSC Space Shuttle Program Office. 

(2) Only the minimum amount of the radioactive materials 
should be used. 

(3) Radioactive materials should be completely sealed or 
encapsulated in substances having low damage potential from the inherent 
radiation. 


Illness/Injury 


Radiation, 

Contamination 


(4) The seals for radioactive material should withstand damage 
due to ground or space environment, accidents, or mishandling. 

(5) The component bearing the radioactive substance should be 
designed for replacement with no damage to the seal of the radioactive 
substance. 

( 6 ) The substance to which radioactive paint or similar coating 
is applied should be rigid enough to prevent paint flaking due to flexure. 

(7) Each item containing radioactive material of a quantity 
sufficient to require NRC licensing should be permanently marked in a 
manner approved by the JSC Space Shuttle Program Office. 

d. in general, components containing radioactive materials should 
be labeled "Radioactive Material" in accordance with NRC rules and 
regulations. Systems hardware containing these components should be 
brought to the attention of the JSC Space Shuttle Program Office. 

e. To minimize the probability of radioactive material spillage and 
the effects thereof, the following precautions should be considered: 

(1) Properly shielded and firmly secured storage vaults should 
be provided for radiation sources. 

(2) Special caution and warning sensors in conjunction with STS 
provided instrumentation may be advisable to detect any level of radiation 
leakage from storage vaults or containers. 

(3) Special clothing should be provided for personnel involved 
in handling or using radioactive materials. The need for protective clothing 
will depend on the nature of the operation and the degree of containment of 

the radioactive material. 
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.2 Radioactive Materials (continued) 


(4) Strict procedures should be provided for the handling and 
use of radioactive materials. 

(5) Spare shielded containers should be available in which 
radioactive material can be temporarily stored in the event of an accident. 

(6) All components and equipment containing radioactive 
materials should have redundant seals to protect against leakage. 

3.14.1.3 Electromagnetic Interference/Microwave 

a. Adequate shielding of control and communication equipment, 
pyrotechnic devices, and other critical equipment is needed to prevent loss 
of control or monitoring functions because of saturation of electronic 
circuits and to prevent initiation of explosive devices from induced currents. 

b. It may be necessary to provide a backup (emergency) commu- 
nications link that will not be affected by EMI or to establish procedures and 
schedules which consider the periodic disruption of normal communications. 

c. Induction heaters are a potential source of EMI. The EMI signa- 
ture of all such heaters considered for use should, therefore, be determined, 
and the unit exhibiting the lowest EMI should be the preferred unit. 

d. When EVA activities are required, a means should be provided to 
isolate all power from equipment generating microwave and/or electro- 
magnetic radiation. 

e. To protect personnel during ground operations, shields, guards, 
and warnings should be provided where EMI emitting equipment is operating. 
Strict procedures should also be provided for these operations. 

f„ Radio frequency equipment should be shielded to prevent 

continuous exposure of personnel to RF levels greater than 10 MW /CM . 
This level has been adopted by many Government agencies as a standard to 
prevent acute and chronic RF radiation damage to any organ of the body. 

3.14.2 Flight Operations 

a. To prevent possible radiation leakage danger to ground and flight 
crews, nuclear reactor power modules should be designed for transportation 
to space while in a preoperational mode. The reactor should not be 
activated while in immediate proximity to the orbiter. 

b. To protect the flight crew, on-orbit nuclear cargo transfer 
operations should not require EVA. 
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3.14.2 Flight Operations (continued) 

c. Unauthorized personnel should be restricted from using radiation 
producing equipment or handling and using on-board radioisotopes. The 
installation of appropriate caution signs and other means of warning fea- 
turing visible or audible signals should be considered. 

3.14.3 Ground Operations 

a. Once assembled, an isotope heat source is active and contin- 
uously emits radiation and heat. A redundant ground cooling system should 
be provided to dissipate this heat during prelaunch operations. Radiation 
shielding for the protection of ground crews and critical equipment should 
also be provided at this time. The following guidelines should be considered 
to minimize these concerns: 

(1) Radioactive material should be assembled in radioisotope 
power systems as late in the countdown sequence as feasible to reduce the 
hazards to the crew and equipment and to provide minimum impact on 
prelaunch operations. 

(2) The isotope heat source ground cooling system should be 
designed so that two failures must occur before system cooling is lost. 

(3) The isotope ground cooling system should be adequately 
instrumented to sense any loss or degradation of heat dissipation capability. 

b. Payloads producing nuclear radiation of sufficient quantity to 
create hazards to the general public should be transported in protective 
modules or casings capable of withstanding a launch vehicle explosion on the 
pad and worst-case reentry and crashlanding contingencies. 

c. Any ground support equipment used within the spacecraft and 
which requires the use of radioactive materials should be designed to control 
the level of external emissions to protect personnel and STS subsystems 
from detrimental effects. 
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3.! 5 STRUCTURES 

System Description .- The structural subsystem consists of beams, plates, housings, brackets, 
braces, attachment fittings, structural fasteners, and other types of metal or nonmetal 
members whose functions are to support components or to attach integrated payloads. The 
payload members are passive, i.e., they do not utilize, control, or develop energy. They resist 
corrosion from the use environment and absorb energy in the form of load stresses and heat. 
These internal stresses weaken the molecular structure of the materials and can initiate crack 
formation and subsequent structural failures. Structural failures can be catastrophic and cannot 
be tolerated in spaceflight operations. It is, therefore, essential that considerable effort be 
spent in the analyses and selections of materials for characteristics which are compatible with 
the use environment. 

Associated Hazards . The associated hazards with payload structures are collision, corrosion, 
injury, and loss of orbiter entry capability. They are created when a structural member fails 
under stress. The failures can be of two types; plastic deformation, or a brittle failure. The 
latter is more critical in the design of safe payload structures. 

In metallic materials, the brittle failures are caused by stress corrosion, hydrogen embrit- 
tlement, and structural fatigue. In aerospace usage structural failures due to stress corrosion 
cracking have been numerous enough to warrant attention. Criteria and recommended practices 
have been developed and are documented in NASA SP series technical reports. Materials and 
alloys susceptible to corrosive effects are also identified in the reports, and their use should be 
avoided. The reports also discuss analytical techniques such as fracture mechanics to provide 
methodology for understanding and controlling crack formations in structural elements. 
Applicable criteria and practices from these reports are summarized in the guidelines of this 
section. 

The acceleration/deceleration forces created by launch, orbit, and entry environments as well 
as as abort or crashlanding conditions are stated in the Space Shuttle Payload Accommodation 
Document, JSC 07700, Volume XIV, and should be considered in structural designs. Emphasis is 
placed on preventing structural failures which can cause equipment to become projectiles that 
can enter the crew compartment and injure the crew. Failures of primary structural elements 
of automatic payloads during deployment can pose collision hazards with the orbiter as well as 
injury potentials to the crew. 

Certain material used in structural applications in the space environment have been found to 
outgas and emit toxic fumes creating hazards to personnel. In this sense, the structural 
subsystem guidelines will overlap with the guidelines developed in Section 3.8, MATERIALS. 
The structural subsystem also overlaps with the mechanical subsystem (see section 3.9, 
MECHANICAL). These subsystems should be reviewed by the structural designer. 

The safety guidelines in this section are written to recommend adequate structural analysis in 
the design of payload structures and selections of materials compatible with the use 
environment. Suggestions are also included with regard to crashlanding provisions for 
containing payload equipment to preclude crew injury. MSFC drawing I0M33I07A, "Design 
Criteria for Controlling Stress Corrosion," should be reviewed for additional information on 
stress-corrosion cracking. 
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3.15.1 Design 

3.15.1.1 Structural Analyses 

a. Structural analyses should be performed on all payload structures 

to show that all elements of the design, such as the strength, stiffness, 
structural stability, and fatigue, meet all specified criteria for the 
anticipated loads and environments, including crashlanding loads. The 
analyses should include static and dynamic stress analysis and vibration 
analysis for loads and environmental data. The analyses should be compiled 
and documented. Structural analyses should be performed on payloads which 
were originally designed for launch environments other than the STS. 
Overall loads analysis for the combined payload/shuttle structure should be 
performed. 

b. To reduce potential hazardous effects of stress concentrations in 
primary structure, some general practices which should be considered in the 
structural analyses and design are to: 

(1) Use multiple load path structure where permissible. 

(2) Make gradual changes in sections and symmetry of design. 

(3) Minimize the number of cutouts and discontinuities in 
primary elements. 

(4) Design for the peak stress rather than the average stress to 
be carried by structural members, especially at stress concentrations. 

(5) Avoid attachment of secondary brackets, fittings, handles, 
steps, and hoses to areas of high stress. 

( 6 ) Avoid use of rivets to carry repeated tensile loads. 

(7) Eliminate sharp edges for personnel safety and to reduce 
stress concentrations. 


(8) Select fasteners of sufficient size and proper material to 
carry design loads and impose proper pressure on joints through pretension. 

( 9 ) Provide allowances for distortions and stresses resulting 
from thermal expansion and contraction of the space temperatures. 

c. Fracture mechanics technology should be applied as design 
criteria in analysis of flaw growth and fracture characteristics of materials. 
Specific applications include pressure vessels and glass enclosures. 
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Corrosion 


Corrosion 


Corrosion, 
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a. If aluminum alloys are considered for structural applications, 
either coated or chemically treated alloys which are less susceptible to 
general corrosion and pitting or alloys with tempers having high resistance 
to stress-corrosion cracking should be used. Certain alloys are more 
susceptible to stress-corrosion cracking under high sustained tensile stresses 
when exposed to salt air ambient typical of sea coast atmosphere. 

b. Caution should be exercised in the selection of high strength, low 
alloy steels heat-treated to high strength levels (180,000 psi) (12,656 
kg/crrr) and above as they are extremely sensitive to stress corrosion. 
Because of the relationship between strength and susceptibility to stress- 
corrosion cracking, it is a recommended practice to use the lowest strength 
material compatible with design. 

c. Strict material control should be maintained on high strength, 
low alloy, heat-treated steels to avoid inducing residual stresses by machine 
operations of any kind after heat treatment. Steel parts which have been 
acid cleaned, plated, or exposed to hydrogen through use of acid pickling 
process, and hydrocarbon lubricants, should be baked and checked for 
hydrogen embrittlement. Cadmium plated tools should not be used on 
assemblies of high strength steej parts that are to be operated under load at 
temperatures above 450 F (230 C). Small deposits of cadmium may be left 
on the part which can lead to metal embrittlement and subsequent structural 
failure. 


Corrosion 


d. In the use of titanium, procedures should be provided to assure 
careful use of cleaning fluids or other chemicals which can induce stress- 
corrosion cracking, hydrogen embrittlement or can reduce fracture tough- 
ness. The use of hydrochloric acid, cadmium compounds, chlorinated cutting 
oils and solvents, methyl alcohol, and compounds containing mercury with 
titanium should be avoided. 


Corrosion 


Corrosion 


e. Structural materials should have high tolerance for flaws 
throughout the anticipated service life of the structure. These materials 
should be resistant to brittle crack propagation in the use environment. 

f. In the design of payload structure which can create hazards to 
personnel, materials should be selected to be free from stress-corrosion 
cracking throughout their service life. This may be accomplished by an 
effective combination of the following: 

(I) Identification and control of the environments to which the 
structure will be exposed during construction, storage, transportation, and 
use. 


(2) Selection of alloy compositions and tempers having high 
resistance to stress-corrosion cracking in the use environment. 
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3.15.1.2 Structural Materials (continued) 

(3) Control of fabrication and other processes which may 
introduce residual tensile stresses or otherwise damage the material. 

(4) Limitation of the combined residual and applied tensile 
stresses to below the threshold stress level for the onset of cracking through 
the service life of the vehicle. 

(5) Establishment of a thorough inspection program at all 
stages of service life (fabrication, assembly, storage, launch preparation and 
mission(s)). 

Corrosion 

g. In the design of structural members, the use of dissimilar metals, 

which when used together form electrical couples leading to galvanic 
corrosion of the member, should be controlled. When the use of dissimilar 
metals is unavoidable, protective, noncorrosive materials (coatings) to 
prevent galvanic corrosion action should be considered unless the metal 
couple has been satisfactorily demonstrated for the proposed application. 
Galvanic corrosion can readily lead to structural failures, especially in 
brackets, braces, etc. 

Collision, 

h. If honeycomb materials are to be used as structural elements, 

Injury 

procedures and instructions should be provided to prevent delamination of 
the skin from the honeycomb structure during fabrication. Delaminated 
honeycomb can create serious hazards to personnel since its structural 
strength has been degraded. Field repairs to delaminated honeycomb 
materials are very difficult and require controlled procedures to assure 
adequate repairs. 

Corrosion 

i. Definitions of environments to which the structural materials 

will be exposed should include but not be limited to the following: 

(1) Chemicals to be used in the cleaning, etching, and rinsing 

compounds. 

(2) Types of inspection fluids, marking inks, crayons, and 
lubricants to be used on the structural elements. 

(3) Types of machining fluids and testing fluids to be used. 

(4) Atmospheric use environments. 

(5) Service chemicals to be used during operations. 

Corrosion 

j. In the design of structural elements which are to be joined 

together by welding, the welding process selected should be compatible with 
the metallurgical properties of the material to avoid hydrogen 
embrittlement and possible structural failures. 
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3.15.1.3 Structural Supports (continued) 

a. Structural provisions, such as handrails, foot restraints, and 
attach points for tethering, should be considered in the design of payload 
structures for ease of transfer of equipment and crew aids during 
intravehicular or extravehicular activities. 

b. The design of payload structures should consider transportation 
and handling loads to which the payloads will be subjected such as: 

( 1 ) Loading and unloading of the payload on or off the 
transportation vehicle. 

(2) Moving loads at the launch site by ground equipment. 

(3) Installation into and removal from the shuttle. 

Structural protection should be provided for all sensitive payload equipment 
whose failure during mission operations will create hazards to the crew. 

c. When considering the selection of cradles, shipping containers, 
and transportation vehicles, it should be assured that these devices are 
adequate and provide attenuation of transportation loads to values tolerated 
by the payload structures. 

d. Mechanical support devices, such as brackets for movable control 
mechanisms, should be secured by a minimum of two fasteners to prevent 
rotation or displacement which could lead to mechanism failures. 

e. Bolts, nuts, and similar structural fasteners should be selected 
for size, strength, and resistance to corrosive environments to avoid stress 
corrosion under operational conditions. Consideration should be given in the 
design for the maximum shear forces imposed on the fasteners in the event 
of a crashlanding. Selection of the proper fasteners to contain equipment 
during a crashlanding can prevent the creation of equipment projectiles. 

f. Proper hardness and heat treatment for structural fasteners 
should be specified as required for applications. Use of improper torque 
values or incorrectly selected fasteners may result in equipment failures. 
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3.15.2 Flight Operations 
None 

3.15.3 Ground Operations 


None 
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(Final) (Ball Brothers) 

GSFC/F75-23 

November 1975 

Solar Physics Engineering and Operational 
Interface Study - Astronomy Spacelab 
Payloads - Final Report (Ball Brothers) 

GSFC/75-1 1 

July 30, 1975 

Interim Report of the Astronomy Spacelab GSFC/T76- 10636 
Payloads Study through -10641 

o Executive Volume 
o Solar Physics - Volume 1 

o Ultraviolet and Optical Astronomy - Volume II 
o High Energy Astrophysics - Volume III 
o Mission Analysis - Volume IV 
o Engineering - Volume V 

July 1975 

Shuttle Orbital Applications and 
Requirements (SOAR) Final Report 
(McDonnell) Also SOAR II Study 

MSF C/MDC-G4494 

April 1973 

Research and Applications Module 
(RAM) Phase B Study (Multi-Vol.) (TRW) 

MSFC/GDCA-DDA7 1-004 

December 17, 1971 

Performance and Design Requirements 
for Burner 1 1 A - General Spec. (Boeing) 

None/SS-2236 15 A 

September 10, 1969 

Final Briefing - NASA Study C-li 
Advanced Mission Safety Studies 
(Aerospace Corporation) 

NASA Hqs./OP- 10691 

June 19, 1971 

Space Rescue Operations - Final Briefing 
(Aerospace Corp.) 

NASA Hqs./None 

March II, 1971 

Atlas Reliability Testing Program 
"Search for Critical Weakness" 

None/ZX-7-033 

July 31, 1958 

Compatibility Study of a Cryogenic 
Upper Stage with Space Shuttle 
(Convair Aerospace Division of 
General Dynamics) 

LeRC/GDCA BNZ 
71-020-3 

October 15, 1971 
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Title 

Source/Number 

Date 

PAYLOAD RELATED STUDIES AND REPORTS (continued) 


Study of Space Station Crew Activity 
Safety and Damage Control and 
Containment (Boeing) 

JSC/D2- 1 14254-1 

July 1968 

Space Base Nuclear System Safety Study 
(General Electric) (3 Volumes) 

MSFC/GESP-7059 

GESP-7064 

GESP-7067 

October 21, 1971 

Space Station Safety Study (Boeing) 
(Volumes 1 and 2) Crew Safety Guidelines 

JSC/MSC-00189 

January 1970 

Safety in Earth Orbit Study 
(Rockwell/Space Division) 

Volumes 1, II, IV, V, & Contract Summary 

JSC/SD72-SA-0094 

July 12, 1972 

Orbital Assembly and Maintenance Study 
(Martin Marietta) 

JSC/None 

March 14, 1975 

Advanced Missions Safety (Experiment- 
Safety) Volumes 1, II, and III (Aerospace 
Corp.) 

NASA-OMS 
/ ATR-72(73 1 6-0 1 )- 1 

October 1972 

Manned Spaceflight Nuclear System 
Safety (General Electric Study) 

MSFC/72SD420I 

January 1972 

Scout/Shuttle Integration Study 
(Vought Division of LTV) 

LeRC/T 197-0 13 

January 30, 1973 

Integrated Power/ Attitude Control 
System (IPACS) Study 
Volume 1 - Feasibility Studies 

LaRC/NASA CR-2383 

April 1974 

Integrated Power/Attitude Control 
(IPACS) Study, Volume 2 - Conceptual 
Designs 

LaRC/NASA CR-2384 

April 1974 

Ballistic Entry Technology 

Test (BETT) Vehicle (McDonnell Douglas) 

LaRC/None 

November 1974 

Tug Operations and Payload Support 
Study (Rockwell/Space Division) 

None/PD-72-28 

December 13, 1972 

Lessons Learned on the Skylab Program 

JSC/JSC-09096 

July 18, 1974 

Study of Airborne Science Experiment 
Management Concepts for Application 
to Space Shuttle (Volumes 1, II, & III) 

AMES/TM X-62,287 
TM X-62,288 
TM X-62,289 

July J973 

Shuttle Sortie Simulation Using a Lear 
Jet Aircraft (Mission 1) 

AMES/TM X-62,283 

December 1972 

Shuttle Spacecraft Simulation Using 
a Lear Jet Aircraft (Mission 2) 

AMES/TM X-62,352 

January 1974 



Title 

Source/Number 

Date 

PAYLOAD RELATED STUDIES AND REPORTS (continued) 


Preliminary Report on Lear Jet 
Shuttle/Spacelab Simulation (Mission 4) 

AMES/TM X-62,408 

December 1974 

Preliminary Report on CV-990 
Shuttle Simulation (Mission 1) 

AMES/TM X-62,358 

April 1974 

NASA CV-990 Airborne Laboratory 
Experimenters' Handbook 

AMES/None 

May 10, 1974 

Interactive Data Management Systems 
for Airborne Research 

AMES/TM X-62,367 

August 1974 

Proposal for a Space Base Nuclear 
System Safety Study (3-Volumes) 
(General Electric) 

MSFC/A-21997 

May 19, 1970 

Space Base Nuclear System Safety 
Study (General Electric) 

MSF C/GESP-7067 

October 21, 1971 

6. PAYLOAD INTERFACE 



Space Shuttle System Payloads 
Interface Activities (JSC Payload 
Coord. Office) 

JSC/JSC-09255 

November 8, 1974 

Space Shuttle System Payload 
Interface Verification Volume 1 
(General Approach Requirements) 

JSC/JSC-07700- 1 4-PIV-0 1 

April 15, 1975 

Interface Verification Equipment 
Study (IVE) (JSC Payloads Coord. 
Office) 

JSC/JSC 09773 

June 17, 1975 

Low Cost Small Instrument Pointing 
System (SIPS) Study (Final) 

(Ball Brothers) 

GSFC/None 

August 1975 

DOD Space Transportation System (STS) 
Payload Interface Study (Volumes 1 & II) 

SAMSO/TR-73-280 

October 1973 

DOD/STS Payload Interface Study 
- FY 75 Extension Final Briefing 
(McDonnell Douglas) 

SAMSO/TR-75- 1 36 

May 1975 

Space Tug/Shuttle Interface Compatibility 
Study - Final (Volume 1 - Executive 
Summary) 

MSF C/C ASD-NAS 75-017 

June 1975 

Retinal Damage from Repeated 

Gibson, G.L.M. 

1973 


Subthreshold Exposures Using a Rub/ 
Laser Photocoagulator (Aerospace 
Medicine, Vol. 44. pp. 433-437) 
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Title Source/Number Date 

7. GROUND AND FLIGHT OPERATIONS AND EQUIPMENT 


Payload Deployment and Retrieval 
Operations (Flight Operations Division 
White Paper) (Preliminary) 

JSC/None 

October 22, 1975 

Study to Evaluate the Effects of EVA 
on Payload Systems (Rockwell/Space 
Division) 

AMES/SD 75-SA-0056 

May 9, 1975 

Study of Roles of Remote Manipulator 
Systems and EVA for Shuttle Mission 
Support (ESSEX Corp.) 

JSC/T74- 18544 

October 1974 

Development of an EVA Systems Cost 
Model (URS Corp.) (3 Volumes) 

JSC/T75-I 1300 
T75-I 1301 
T75-I 1302 

July 1974 

Spacelab Life Sciences 

Mission Simulation (JSC Life Science 

Division) (Boeing) 

JSC/None 

August 1974 

Schedules and Status Summary 
Payload Ground Integration (Volume II) 

KSC/K-SM-03.2 

March 17, 1975 

Viking 75 Orbiter, Test and Operations 
Plan 

JPL/6 12-22 

April 12, 1973 

STS Planetary Mission Operations 
Concepts Study - Final Report 

JPL/760- 1 22 

April 15, 1975 

Launch Site Accommodations Handbook 
for STS Payloads (Revision 1) 

KSC/K-SM-14 

February 1975 

Facilities Handbook for Hangar AO 
(Preliminary) 

KSC/K-SM-I4.X 

None 

Facilities Handbook for Hangar AM 
(Preliminary) 

KSC/K-SM-I4.X 

None 

Facilities Handbook for Hangar AE 
(Preliminary) 

KSC/K-SM-I4.X 

None 

The KSC Safety Program 
(Management Instructions) 

KSC/KMI I7I0.IB/SF 

October 9, 1 970 

Launch Site Ground Operations Safety 
Requirements for Shuttle Payloads 
(TRW) 

KSC/25833-F002-R0-00 

November 1974 

Apollo/Satum (IB, V) Skylab Ground 
Safety Plan (Volume III, Revision 3) 

KSC/K-V-053 

November 15, 1974 



Title 


Source/Number 

GROUND AND FLIGHT OPERATIONS AND EQUIPMENT (continued) 


Wallops Ground Safety Plans 


j. Radioactive Cesium 144 

WALLOPS/None 

2. Liquid Ozone 

WALLOPS/None 

3. Toxic/Flammable Pentaborane 

WALLOPS/None 

4. Nitric Oxide Gas 

WALLOPS/None 

5. Chlorine Trifluoride and 
Acetonitrile 

WALLOPS/None 

6. Hydrazine mixed with Barium Salts 
and Fluorine Oxidizer 

WALLOPS/None 

7. Sodium and Lithium Release 
Experiments Plus Barium 
Canisters and Holex Igniters 

WALLOPS/None 

8. Radioactive Americium 241 

WALLOPS/None 

Payload Requirements for KSC Pad 
Payload Changeout Room 

KSC/None 

Shuttle System Ground Operations 
Plan 

KSC/K-SM-09 

Launch Site Processing of Hazardous 
Payloads-Final Report 
(Teledyne/Brown Eng.) (Volumes 1-7) 

KSC/None 

Mercury/Atlas Launch Vehicle Factory 
Rollout Inspection General Operating 
Procedures (Aerospace Corporation) 

USAF/TOR-5940 IOI)RP-3 

8. MILITARY STANDARDS AND SPECIFICATIONS 

Hydraulic Fluid, Fire Resistant 
Synthetic Hydrocarbon Base, 
Aircraft 

MIL-H-83282A 

Hydraulic Systems, Aircraft, 

Types 1 and II, Design and Installation 
Requirements 

MIL-H-5440F 

Bonding, Electrical (For Aircraft) 

MiL-B-5087 


Electroexplosive Subsystems, 
Electrically Initiated, Design 
Requirements and Test Methods 


Date 

January 20, 1966 
March 27, 1962 
July 28, 1965 
November 7, 1962 
October 8, 1963 

October 6, 1970 

September 7, 1971 

August 18, 1971 
May 1975 

May 31, 1974 

May 1975 

October 31, 1 96 I 


MIL-STD-1 5 1 2 
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Title Source/Number Date 

MILITARY STANDARDS AND SPECIFICATIONS (continued) 

Standard General Requirements for MIL-STD-1522 

Safe Design and Operation of 
Pressurized Missile and Space Systems 

Wire, Electric, Fluorocarbon MIL-W-22759 

Insulated, Copper 

Color Codes for Pipelines and MIL-STD-IOIB 

Compressed Gas Cylinders 


NASA -JSC 



